NOTICE 


THIS DOCUMENT HAS BEEN REPRODUCED FROM 
MICROFICHE. ALTHOUGH IT IS RECOGNIZED THAT 
CERTAIN PORTIONS ARE ILLEGIBLE, IT IS BEING RELEASED 
IN THE INTEREST OF MAKING AVAILABLE AS MUCH 
INFORMATION AS POSSIBLE 



\ 


* 





>r 

n* 


‘M^'o- s* '■ ^ 

., Boeing Coinmerciir.\irplane Company 

^ P.O. Box 3707 ? 

D Seattle, Washington 981^;# 


: y 




I 

f 


(N H S .> -C? - 1 5^? 2P 1 ) P®''’=’FTT£ 

CPTIMIZ;TTCV FOLRL ?0f FAMI"’ •^rtrrB*;"' 

C!CNT*'CL SYS?v»»s ronttacioi pppor*”, 

S*^p. I'iSO Coa.irc* rci fll 'irrl^^ne Co., 

Seattle) 251 p Mr »'2/'1'' <~^CL 01~ c;3/uo 


1.82-3237& 


Ui.cias 
31 j1S 












FOREWORD 


This report tei'minates NASA-Langley Contract NASI-X5506 for preliminary develop-^ 
ment of a Cost and Benefit Design Optimization Model for fault-tolerant flight control 
systems (FTFCS). The work consisted of three tasks; 

1. Review of existing modeling methods that might be appropriate for fault- 
tolerant system optimization 

2. Development of requirements for a fault-tolerant system optimization model 

3. Development of an optimization model specification 

The work was conducted from October 1978 through December 1979, under the NASA 
Technical Monitor, Mr. A. H. Lindler. Study participants and their areas of contri- 
bution were: 

T. P. Enright, Program Manager 

J. Rose, Principal Investigator 

R. C. Fairfield, FTFCS Definition 

P. Nagel/D. M. Rose, Reliability Model Review 

A. N. Pozner/F. Scholz, Combinatorial Analysis 

J. W. Wassal/D.L. Streiffert, SlMSCRIPT Simulation 

L. B. Shepard, Airline Operational Definitions 

M, J. Healy, Optimization Methods 

A. P. Zob, Airplane Scheduling Methods 

United <5c Delta, Requirement and Specification Review 


CONTENTS 











it 







Page 


1.0 SUMMARY 1 

2.0 INTRODUCTION 3 

3.0 ABBREVIATIONS AND ACRONYMS/IDENTIFIED COSTS AND 5 

BENEFITS 

4.0 MODEL REQUIREMENTS 7 

4.1 Fault-Tolerant Design Options 7 

4.2 Available Models 8 

4.2.1 Reliability Models 8 

4.2.2 Operational and Maintenance Models 9 

4.2.3 Economic Analysis 10 

4.2.4 Airplane Performance 10 

4.2.5 The Miller Model 10 

4.2.6 Optimization 10 

4.3 Model Requirement (Description and Rationale) 11 

4.3.1 Design Evaluation 11 

4.3.2 Design Optimization 11 

4.3.3 Adaptability 12 

4.3.4 Validation 12 

4.3.5 Ease of Change 12 

4.3.6 Risk Analysis 12 

5.0 MODEL SPECIFICATION 13 

5.1 Equipment Description 15 

5.1.1 Evaluation Scenario 15 

5.1.2 Operations and Maintenance Simulation 15 

5.1.3 Economic Analysis 17 

5.1.4 Optimization 18 

5.1.5 Model Simplification 19 

5.2 Operations and Maintenance Simulation 21 

5.2.1 Airplane Scheduling 22 

5.2.2 Substitution and Cancellations 27 

5.2.3 Line Maintenance and Repair 28 

5.2.4 FTFCS Equipment Definition and Failure Status 34 

Recording 

5.2.5 Removal-Generator for the Operations and 38 

Maintenance Simulation 


PRECEDING PAGE BLANK NOT FILMED 


iii 


5.3 Analysis of Investment and Operating Economics 

5.3.1 Cost and Benefit Measurement Parameters 

5.3.2 Investment Cost Definitions 

5.3.3 Operating Co$t Definitions 

5.3.4 Tax Adjustments 

5.3.5 Retirement Costs and Credits 

5.3.6 Operating Benefits 

5.3.7 Economic Risk Analysis 

5.4 Optimization 

5.4.1 The Optimization Problem 

5.4.2 Response Surface Conditioning 

5.4.3 Simplex 

5.4.4 Application of Simplex 

5.4.5 Sensitivity Analysis 

6.0 AIRLINE REVIEW 

6.1 Delta Airlines' Review 
6*2 United Airlines* Review 

7.0 recommendations for phase II 

7.1 Phase II Objectives 

7.2 Phase II, FTFCS Operation and Maintenance Simulation 

7.2.1 Computer System Design (Simulation and Economic 
Analysis) 

7.2.2 Computer Program Design 

7.2.3 Program Testing 

7.2.4 First Model Validation 

7.3 Optimization 

7.3.1 Exploratory Studies 

7.3.2 Final Programming 

7.3.3 Second Model Validation 

7.4 Data Collection and Analysis 

7.4.1 Delay and Cancellation Data Collection 

7.4.2 Repair Shop Data 

7.4.3 Retirement Costs and Credits 

7.5 Preliminary Sensitivity Study 

7.6 Model Implementation 

8.0 REFERENCES 


Page 

39 

40 
43 
46 
63 
65 

65 

66 

67 

67 

68 
70 
73 

75 

76 

76 

77 

79 

79 

79 

79 

79 

80 
80 

80 

80 

81 

81 

81 

81 

81 

81 

81 

81 


I 







82 


iv 


Page 

APPENDIXES 

I* Maintenance Letter-Check Definitions I-l 

U. Airline Cost Estimation System ACES II-l 

HI. Airline Ops. and Maintenance Model AS3031 Ill-l 

IV. An Evaluation of the Miller Model IV-1 

V, Reliability Considerations V-1 

VI. 'Pypical SIFT, FTMP, and FTFCS Concepts VM 

VII. Avionics Repair Shop Simulation VU-i 

VIII. Replicated System Component Removals VUM 

IX. Hypothetical FTMP Cost and Benefit Analysis IX-1 

X. Partition Theory for Counting Possible Packaging Schemes X-1 

XI. Derivation of Delay and Cancellation Cost 

(abstract from Reference 21, D6-40895-1) XI-1 


V 


FIGURES 

No. Page 

1 Critvenl Functions for Fault-Toleront Flight Control Systems 7 

(Hypothetlcnl Airliner) 

2 Elements of the Overoll Model 13 

3 Simplified Cost Benefit Optimization Model 14 

4 The Analysis and Optimization Method 19 

5 Production of Simulation Itineraries and Schedules 23 

G Sample of Partial Tours in Output from Route Generator 24 

7 Computational Procedure for Route Cycle Generation 24 

8 Algorithm for Linking Partial Tours 2G 

9 Algorithm for Determining Fleet Size Ni(0) 27 

lO Typical Line Station Logic 30 

U Repair Shop Logic 33 

12 Physical and Functional Component Sets 30 

13 Example of Simulation Record Keeping 37 

14 Comparison of FTFCS State and Specified Dispatch Requirements 38 

15 Risk Analysis 66 

16 Separate Effects of g(x) ond h(x) 69 

17 Combined Effects of f(x) = g(x) + h(x) 69 

18 Optimization Procedure 7i 

19 Flow Chart for Simplex Method 72 

20 iiasic Simplex Operations 73 

21 Simplex in 3-Dimensional Configuration Space 74 


PRECEDING PAGE BLANK NOT FILMED 


Li 


,-Y 


fl.' 



TABLES 



No. 


Page 

. o 

1 

Multiplier Factors to Convert Stable Maintenance Costs to 
Cost per Hour During Each Year 

20 


2 

Sample Airplane Itinerary for Day 1 

28 

if 

3 

Investment Decision Alternatives 

40 


4 

Material Inflation Percentage 

44 


5 

Material Stock Levels 

45 

L \ 

6 

Base Pay Per Labor Hour 

48 

* ^ 

7 

Material Inflation Factors 

49 


8 

Cost of Additional Airplane Weight Based on 3000 Flight 
Hours/Year 

54 

■ » 

9 

Mission Summary 

55 


10 

Standard Airplane Seating 

56 


u 

Flight Hour/Flight Cycle Failure Factors by ATA System for 
a 1-Hour Flight 

57 

D 

12 

Pilot and Copilot Pay Inflation Factors 

58 


13 

Tax Depreciation Schedule 

64 





Q j 


0 


0 

viii 


1.0 SUMMARY 


I? aiiH- tolerant systems have the potential for providing the high levels of reliability 
necessary for airplane flight-critical and flight-critical functions. This report 
addresses the problem of selecting the most cost-effective fault-tolerant system from 
the many system alternatives. The objectives of the study, therefore, were to 
determine the means of evaluating alternative configurations of a fault-tolerant 
system operating in different commercial airline environments and to develop a 
method of optimizing their design characteristics for a given environment. A set of 
requirements for an optimization model was developed, and the models that could 
potentially satisfy these requirements v/cre reviewed. No single model was found 
capable of performing the required analysis. However, several existing models can be 
modified and combined to provide most of the required optimization capability. 

The proposed, combined model is one that simulates as closely as possible the opera- 
tion of fault-tolerant systems in airline service. The model will simulate real-world 
airline operations and generate statistics on operating benefits and penalties, labor and 
material resources expended, and the resulting economic advantages and penalties. 
Since many dependent variables are involved in such analyses, careful selection of an 
optimization method was necessary. The report provides details of the optimization 
technique selected and details of the algorithms to be used throughout the model. 
Airline review of the model was solicited, and many of the comments received were 
embodied in the model, 


1 


2.0 INTRODUCTIOK 


Digital system technology is growing rapidly, and the advent of large-scale integration 
(LSI) components is providing the ability to automate complex control functions. This 
document addresses the problem of evaluating cost effectiveness and selecting the 
appropriate fault-tolerant flight control systems (FTFCS). The selection is compli- 
cated by the numerous design configurations that have become available as a direct 
result of the increasing versatility and relatively low procurement costs of the system 
components. The objective of this study was to create the capability to evaluate the 
effect of an aircraft FTFCS on commercial avrllne operations and to use this capabil- 
ity In tradeoff studies to optimize FTFCS eesign. 

This document describes the work accomplished on KASA Contract NASl-15506 as 
Phase I of a possible three-phase NASA program. The purpose of Phase 1 was to 
evaluate existing and new modeling methods and, based on this evaluation, to develop 
model requirements and specifications for a Cost Benefit Design Optimization Model 
(CBDOM), The approach for completing the work needed to develop model 
requirements and specifications was as follows: 

1. Make a literature search for available models capable of performing a part or all 
of the required functions for Cost Benefit Optimization. 

2. Become familiar with fault-tolerant flight control concepts that might be 
conceived in the 1980-1990 time period to ensure that the model developed can 
be used to analyze potential flight control concepts. 

3. Develop a set of model requirements. 

4. Develop a model specification. 

5. Document the critical assumptions and rationale on which the requirements and 
specifications are based. 

Since there is no way of testing the validity of many potential simplifying assumptions, 
the model developed is initially a very comprehensive one. However, once results 
become available, it will be possible to determine the important parameters and make 
valid siinplifications in the interests of economy. 

The model design provides an ability to simulate the operation of FTFCS in typical or 
actual airline scenarios, the latter being important for model validation. Although 
there was no question of the ability to use the completed model for evaluation of given 
design concepts, it was necessary to devote considerable effort to the problem of 
optimization. A pattern search method was selected as the only practical method of 
optimization. The amount of design optimization that can be performed is a function 
of how efficiently the model can be programmed. An efficient program will facilitate 
the optimization of the amount of replication to be used. The determination of the 
best equipment packaging design has also been examined and represents a very large 
optimization study, depending not only on an efficient program, but also on a sizable 
amount of computer time. 

Since program efficiency is Important, SIMSCRIPT was selected as the best of several 
possible programming languages for the simulation portion of the model. SIMSCillPT 
is compatible with POllTRAN, which is tlie language for other portions of the model 
partially in existence; namely, the economic analysis and search technique. 

3 

PRFfjEDING PAGE BLANK NOT FILMED 



Possible use of the model by airlines for examination of the potential benefits of 
PTFCS was a consideration in developing the specification. 

V V ^ 

Finally, the model requirements and specification were reviewed by both Delta and I 

United Airlines at their draft stage and found tr be acceptable in both the methods of I 

maintenance and economic analysis. | 

I 

j 


■fe 

r 




3.0 ABBREVIATIONS AND ACRONYMS 


ACES 

ACSVNT 

AFTI 

AS3031 

ATE 

CAB 

CARE 

CARSRA 

CBDOM 

CLP 

EllOl 

FAA 

FCD 

FCR 

FICA 

FIFO 

FMC 

FORTRAN 

FPS 

FTFCS 

FTMP 

GASP 

gla 

GOALS 

GPSS 

HFCS 

IAAC 

IBM 

INC 

10 

IRS 

ITC 

KMS 

LAS 

LIFO 

LRU 

LSI 

MAIIR 

MLC 

MOVES 

NRC 

OAG 

OB 

05cM 

ORLA 

PAS 

PASCAL 

ROI 

SIFT 

SIMSCRIPT 

SRI 


Airline Cost Estimatlnif System 

Aircraft Synthesis Program 

Advanced Flight Technology Integration 

comprehensive simulation of a commercial airplane operation 

automatic test equipment 

Civil Aeronautics Board 

Computer-Aided Reliability Analysis 

Computer-Aided Redundant System Reliability Analysis 

Cost and Benefit Design Optimization Model 

lease payments 

extra return on investment 

Federal Aviation Administration 

fuel consunied because of drag 

fuel cost reductions 

federal payroll taxes 

first in first out 

flutter mode control 

Formula Translation— a programming language 
foot, pound, second unib 
fault-tolerant flight control system (s) 

Fault-Tolerant Multiprocessor 
a simulation programming language 
gust load alleviation 

General Operation and Logistics Support Model 

General Purpose Simulation System 

Hypothetical Flight Control System 

Integrated Application of Active Controls 

International Business Machines 

Federal and State income tax 

input, output 

Internal Revenue Service 

investment tax ci dit 

kilogram, meter, second units 

lateral-augmented stability 

last in first out 

line-replaceable unit 

large-scale integration 

minimum attractive rate of return 

Maneuver Load Control 

Marine Operational V/STOL Environment Simulation 

net retirement credit 

Official Airline Guide 

operating benefits 

operations and maintenance 

Optimum Repair Level Analysis 

pitch-augmented stability 

a programming language 

return on investment or rate of return 

Software Implemented Fault-Tolerant System 

a high-level simulation language 

Stanford Resenreh International 


5 


TA tax adjustments 

TCB total costs benefits 

TDA tax depreciation allowance 

VDEP Vehicle Design Evaluation Program 

V/STOL Vertical or Short Takeoff and Landing 


IDENTIFIED COSTS AND BENEFITS 


Page 


IC 

Investment Cost 

43 

ICAP 

Airplane Parts Procurement and Installation 

43 

ICRS 

Rotatable Spares Investment 

44 

ICES 

Expendable Spares Investment 

44 

ICGS 

Ground Support Equipment 

46 

ICST 

Special Tools and Test Equipment 

46 

ICTM 

Training Equipment 

46 

OC 

Operating Cost 

46 

MLL 

Maintenance Line Labor 

47 

MSL 

Maintenance Shop Labor 

48 

MM 

Maintenance Materials 

48 

ssc 

Shop and Servicing Supplies 

49 

MB 

Maintenance Burden 

49 

OS 

Outside Services 

51 

iVIT 

Maintenance Training 

52 

FCT 

Flight Crew Training 

52 

SH 

Spares Holding Cost 

52 

FOR 

Fuel Cost Reductions 

53 

DC 

Delay Costs 

56 

CN 

Cancellation Costs 

59 

DT 

Diversion and Turnback Costs 

59 

CDS 

Debt Servicing 

60 

CLP 

Lease Payments 

61 

TGE 

Equipment Transportation Cost 

62 

TA 

Tax Adjustments 

63 

ITC 

Investment Tax Credit 

63 

TDA 

Tax Depreciation Allowance 

64 

INC 

Federal and State Income Tax 

65 

NRC 

Net Retirement Credit 

65 

OB 

Operating Benefits 

65 


6 


ORlGimt PAGH 18 
OF POOR QUALITY 


4.0 MODEL REQUIREMENTS 

To ensure that any model developed will accommodate all fault-tolerant flight control 
system (FTFCS) options, the Contractor reviewed and considered models, data, FTFCS 
designs, active controls options, reliability models, and airline operations and costs. 
This section summarizes the review, including fault-tolerant design options (sec. 4.1), 
available models (sec. 4.2), and model requirements (sec. 4.3), and the requirements 
generated by this review. 

4.1 FAULT-TOLERANT DESIGN OPTIONS 

The options examined in this study range from the application of advanced navigation- 
al concepts through the development of active flight controls. Although they cover a 
wide range of concepts, they were similar in their design features, which require high 
reliability of software, firmware, or hardware for successful operation. An example of 
one such project is the Integrated Application of Active Controls (lAAC) airplane that 
is a part of tne NASA Energy Efficient Transport Program. The lA AC project seeks to 
improve fuel economy by reducing weight and drag using such concepts as: 

• Fly-by-Wlre 

• Relaxed Static Stability 

• Gust and Maneuver Load Alleviation (GLA) 

• Flutter Mode Control (FMC) 

Control surfaces to implement these features are shown In Figure 1. Such concepts 
can be flight crucial and may be flight critical. A flight-crucial function is any 



Figure 1. Critical Functions for Fault-Tolerant Flight Control Systems 
(Hypothetical Airliner} 


1 


function ti)at, by Us complete loss, causes an immediate unconditional flight safety 
hazard. A flight-critical function is any function that, by its complete loss, results in 
a potential flight safety hazard that can be averted by appropriate flight crew actions. 
Of the current active flight control options being considered, only pitch-augmented 
stability (PAS) is flight crucial. The potential use of digital computers for navigation, 
fuel management, systems management, and other critical and noncritical functions 
provides the possibility of Incorporating fault tolerance in other systems. Fault 
tolerance, the ability to sustain a failure without degradotion of function, can be 
achieved by using online spares or by shedding nonessential load(s) when a failure 
occurs. In this way, surplus computation capacity can be used to replace tailed FTFCS 
stages. Using such concepts, fault tolerance provides a method of ochieving safe 
flight control systems with the potential for very high reliability. 

The features of failure detection and recovery^ which are inherent in the design of 
fault-tolerant systems, are achieved in contemporary design concepts by means of 
replication, voting, and reconfiguration. The relatively low cost of digital components 
is now making replication and motive redundancy economically possible and repre- 
sents a new concept for eontral system technology. However, the failure detection 
and recovery features that make fault tolerance possible also make both reliability and 
cost benefit optimization more complicated than for conventional systems. 

To develop a Cost and Benefit P<^sign Optimization Model (CBDOM) that can accom- 
modate the potential fault-tolerant systems developed during the 1980s, the compon- 
ents, software, firmware, and architecture that might be used were identified. Sever- 
al concepts were then reviewed in depth. Including an Advanced Flight Technology 
Integration (AFTI) airplane and two alternative flight control computer concepts 
currently being designed under a NASA-funded contract. The NASA systems are the 
Software Implemented Fault-Tolerant (SIFT) system'^' being developed by Stanford 
Research International (SRI) in collaboration with Bendix, and the Fault-Tolerant 
Multiprocessor (FTMP)(2) under development by Charles Stark Draper laboratories and 
Collins Radio. Typicol SIFT and FTMP concepts and AFTI are described in Appendix 
VI. 


4,2 AVAILABLE MODELS 

Available models that might be used for evaluation and optimization of FTFCS designs 
were identified so that requirements for a new model could be tailored for existing 
model compatibility. Several models were reviewed in detail, including reliability 
(sec. 4.2.1), operational and maintenance (sec. 4.2.2), economic analysis (sec. 4.2,3), 
performance (sec. 4.2.4), the Miller model (sec. 4.2.5), and optimization (sec. 4.2.6), 

4.2.1 Reliability Models 

Five reliability models were reviewed; details are provided in Appendix V. Of the five 
reliability models, Computer-Aided Reliability Analysis (GARE IIl)(3) appears to be the 
most promising approach, with Computer-Aided Redundant System Reliability Analysis 
(CARSllA) as a possible approach if it were further developed. CARE III has the 
ability to handle nonconstant hazard rates, transient fault recovery, complex success- 
path definition with replicated and switched stages, coverage, and latent failure 
modeling. CARSRA is a FORTRAN-programmed Markov model, developed to facili- 
tate the reliability assessment task for fault-tolerant, reconfigurable systems. It has 
been used by the Contractor on several occasions and has given comparable results on 
simple analvses that can be checked by other means. However, the documentation for 
CARSRAt'^J and the FORTRAN code, which was available to the Contractor, does not 


provide sufficient detail or comments to ensure full understanding of the model 
algorithms. Work would be required to document CARSRA and Increase its analysis 
capacity before it could be considered for use in design optimization. 

Fii\allyi as part of Phase 1, a reliability simulation was developed in SIMSCRIPT for a 
simplified fault-tolerant system; it is detailed at the end of Appendix VIU. Complex 
systems can certainly be modeled in a similar way, and the computer programming 
Involved is minimal compared to developing a general-purpose model such as CARE 111. 
However, for a simple system, the computer running time is on the order of 15 seconds 
for 10^ slmulatcu system operating hours. The simulation of simultaneous failures 
witii a very low probability ot occurrence would require 10^"^ simulated system operat- 
ing hours or more to accumulate a statistically-adequate estimate of systejn reliabil- 
ity. Thus, a computer run designed to simulate failures, including simultaneous 
failures for a simple system configuration, could involve 4 or 5 hours of Cyber 175 
computer time. This time would Increase for larger, more complex systems. 

4.2.2 Operational and Maintenance Models 

Operational modeling is defined in this document as the development of mathematical 
models of the events (excluding maintenance) that impact the costs and benefits of 
fault-tolerant systems during typical or specific airline use. The operational model 
determines the degradation of fault-tolerant systems that occurs, the time available 
for maintenance, and the consequence of inadequate maintenance. Maintenance is 
defined as inspection and total or partial restoration of degraded equipment, Both 
operations and maintenance are stochastic processes. 

A search was made for simulations capable of modeling the operation and maintenance 
of fault-tolerant systems. 

AS3031 is a comprehensive simulation of commercial airplane operation and mainten- 
ance tliat provides many of the features necessary to evaluate fault-tolerant systems. 
AS3031, which is fully described in Appendix III, has only some of the features required 
to evaluate fault- tolerant systems. For instance, equipment repair is not simulated 
and different mechanic skill levels are not recognized, Rationale for requiring such 
features is as follows; 

• The ability to add replication to an FTFCS enables maintenance to be deferred 
and delays avoided at some added investment In FTFCS equipment. In turn, 
delaying maintenance until it is convenient allows centralized rather than 
dispersed maintenance. The ability to optimize such maintenance strategies is 
probably important and requires the detailed modeling of repair. 

• On existing flight-critical and flight-crucial systems, Federal Aviation Adminis- 
tration (FA A) Advisory Circalars 120-28B\^) and 120-29(®) require initial and 
recurrent training of personnel used in the maintenance of Category II and III 
landing equipment. It is anticipated that similar requirements will pertain to 
FTFCS and will require a limited number of mechanics with specialized skills. 

The General Operation and Logistics Simulation Support (GOALS) model^7) provides 
for simulation of operations and maintenance of military airplanes. GOALS was 
developed for organizational maintenance simulation and will not handle a network of 
stations and repair shops that is necessary for commercial operation. Written in 
General-Purpose Simulation System (GPSS) for an International Business Machines 


9 


(IBM) computei', GOALS requires « core stornge allocation of 470K bytes, which is a 
large program. 

Marine Operational V/STOL Environment Simulation (MOVES)^®) was developcci by tlio 
Navy to simulate carrier-based or land-based operation and maintenance. Like 
GOALS, it will not Imndle a network of stations and Is also written in QPSS, However, 
the repair routines are very comprehensive and have a logic similar to that needed for 
commercial airplane operation. 

The Mod III Level of Repair .model Is ah Optimum Repair Level Analysis (ORLA) model 
developed as apart of the Naval Air Systems Command Project Explore. While Mod III 
represents state of the art in ORLA, it will only handle a given design configuration, 
and the problem of design for repair has not been tackled. Mod III is written in 
SIMSCRIPT (a high-level simulation language). 

4.2.3 Economic Analysis 

Previous work by the Contractor hod establislied that only one model existed that 
Identifies and isolates cost categories at a level suitable for commercial airplane 
equipment cost analyses and evaluations. This model, the Airline Cost Estimating 
System (ACES), is written in FORTRAN and requires some modif ications so that it can 
accept input from a malntenanco and operations simulation. ACES would also bo 
required to perform cost benefit analyses, rather than just cost comparisons. Cost 
benefit analysis is required to conveniently handle the evaluation of a single fault- 
tolerant system configuration. See Appendix II for a description of ACES. 

4.2.4 Airplane Performance 

WeiglU and drag predictions, which are required to assess the costs and benefits 
associated with a given systemdesign, require tlie capability of calculoting fuel burned 
for a given flight plan. The two performance prediction rnodels reviewed by the 
Contractor were Aircraft Synthesis Program (ACSYNT)(®) and Vehicle Design 
Evaluation Program (VDEP)!^®). Botli models appear too large in scale to be 
Incorporated in the GBDOM, but could be reviewed more tlmroughly to determine if 
parts of tiiem could bo used in tlie future. As a recourse, tabulated performance 
values in the CBDOM could be used, such as those provided in Section l>.3.3 (FCR~fuel 
cost reductions). Such values will be available from NASA studies like the lAAG 
(Contracts NASl-14742 and NASl-15325). 

4.2.5 The MiUer Model 

The work to develop a maintenance model for K-out-of-N subsystems, performed by 
D. R. Miller(ff), is extensively reviewed in Appendix IV, It confirms the desirability 
of using simulation to solve the various problems associated with operating and 
maintaining complex airplane systems. 

4.2.6 Optimization 

The available optimization techniques can be divided into three groups: Heuristic and 
Pattern Search, Integer and Dynamic Programming, and Conjugate Direction Methods. 
The number of different methods is indicative of the difficulty of performing optimiza- 
tions and the variety of optimization problems. Of the techniques reviewed, the direct- 
search Simplex method of Spendiey, llext, and Himsworth(12) and Nelder and Meadti-®) 


10 


seems most appropriate. Purther discussion of their methods is provided in Section 
5.4. 

4.3 MODEL REQUIREMENT (DESCRIPTION AND RATIONALE) 


Having considered typical systems to be optimized and models available to do the job> 
the following set of requirements for a CBDOM was developed. The requirements are 
described first, then the rationale. 

4.3.1 Design Evaluation 

Requirement— The CBDOM should be capable of evaluating alternative design concepts 
of fault-tolerant systems, including computers, software, firmware, sensors, actuators, 
ar^d data buses required for noncritical, critical, and crucial flight control surfaces, 

Rationale—The ability to assess the costs and benefits associated with different design 
configurations enables the best design alternative to be selected. Also implied is the 
ability to use the model in a series of tradeoff studies so that a designer can attempt 
to optimize the design. 

4.3.2 Design Optimization 

Requirement— The CBDOM should be capable of optimizing design. 

Rationale— Many design alternatives are possible within a given system concept and 
can significantly affect costs and benefits. Primary examples of design alternatives 
are the amount of replication and the packaging arrangements used. While the number 
of alternatives for the former are bounded by safety requirements and are therefore 
small, no such convenient boundary exists for the latter, packaging. For example. 
Appendix X shows that while three components can be packaged in five ways, six 
components can be packaged in 233 ways. Subsequent increases are even mere 
druinatic. Packaging affects costs associated with spares, repair, and reliability 
(reliability being degraded by increasing numbers of connectors as the number of 
components to a module becomes smaller). It is unlikely that a designer could truly 
optimize a representative system by comparing the results of a series of tradeoff 
studies, other than by accident. The obove translates into n subset of requirements 
(listed below) that the CBDOM should provide the capability to optimize in terms of 
airline profitability. 

• The levels of redundancy, voting, and replication that should be provided 

• The types and reliability of components and software that are economically 
advantageous 

• The optimum packaging for hardware and software 

• The optimum maintenance plan; 

• Condition monitoring versus periodic maintenance 

• Repair versus discard 

• Locations at which'replacement or repair should be performed (i.e., at line 
stations, base station, or supplier) 


11 


The quantities and locations in whicii spare units should be stocked 




4.3.3 Adaptability 

Requirement— The model should be capable of adaptation so that airlines, and avionics 
and airframe manufacturers can perform cost-of-ownorship analyses for avionic 
component design, and operation and maintenance studies. 

Rationale— As far as can be established, the proposed model fills a gap in the 
analytical tools available not only for design, but also for establishing profitable 
operation of flight control and other airplane systems of similar complexity and 
importance. 

4.3.4 Validation 

Requirement— The CBDOM should be capable of being validated. 

Rationale— The rationale for this requirement is obvious, and its implementation is 
addressed In Sections 7.2 and 7.3. 

4.3.5 Ease of Change 

Requirement— The CBDOM should be capable of being readily changed. 

Rationale— As well as satisfying the requirement for adaptability by manufacturers 
and airlines, the CBDOM model development will be evolutionary. Once a comprehen- 
sive model is validated, it will be possible to make simplifications that can be checked 
for their effect on the results of an optimization. Conversely, it must be possible to 
check the validity of simplifications provided in the interests of economy. 

4.3.6 Risk Analysis 

Requirement— It should be possible to determine the cost consequences of errors in 
estimates, both in input to and output from the model. 

Rationale— Since much of the data used as input to the model will be based on limited 
amounts of interpolated or extrapolated historical data, the ability to establish the 
sensitivity of the design to errors in model input and approximations within the model 
is a requirement, although one that may not be easily satisfied. 


5.0 MODEL SPECIFICATION 

The Cost and Benefit Design Optimization Model (CBDOM) consist, s basically of five 
parts and will have functions described in sections corresponding to the numbered 
blocks of Figure 2. In the CBDOM, a reliability calculation is not Included. As 
previously stated, Computer-Aided Redundant System Reliability Analysis (CARSRA) 
was rejected for two major reasons: Its inability to handle large problems and the lack 
of documented information describing the theoretical basis of the model. The 
alternative choice, Computer-Aided Reliability Analysis (CARE) III, which was 
selected based on information from preliminary detailsv^), appears to be suitable for 
integration in the CBDOM, but will not be available for some time. No other suitable 
model was found. 


Equipment description Evaluation conditions 



Note: Numbers in parentheses correspond to document subsections. 


Figure Z Eiements of the Overall Model 


Given these limitations, the following procedure for using CBDOM is proposed: 

1. The user must establish the weight, drag, and fuel savings associated with the 
desired fault-tolerant flight control system(FTFCS) configurations. Fuel savings 
must be expressed as a function of flight length. 

2. The user must determine the dispatch minimum complement for each type of 
component in the system using a reliability prediction program such as CARE 
IIl(3J. 


13 







3, When provided with details of the design and operating environment, the CDBOM 
will increase the number of components beyond the dispatch minimum comple- 
ment until a cost-optimized system is achieved using a Nelder and Mead simplex 
search technique, described in Section 5,4 and Reference 13. 

4. The user must ensure that replication has not increased to a level where safety 
has been impaired by an increased probability of simultaneous failures due to the 
increased amount of software, firmware, and hardware, 

To the above procedure, a "failure generation" module in the operations and mainte- 
nance (0(ScM) simulation portion of the CBDOM must be included that had not been 
originally planned. A simple combinatorial algorithm was considered and is more fully 
discussed in Section 5.2.5. The proposed CBDOM, shown in Figure 3, could be expand- 
ed to include CARE .lit or parts of an airplane design program such as Aircraft 
Synthesis (ACSYNT)(9). 


INPUT DATA 


SELECT NEXT 
FTFCS 

CONFIQURA- 


SIMULATE 

EQUIPMENT 


GENERATE 

and record 


SIMULATE 

MAINTENANCE 



TION FOR 
ANALYSIS 


OPERATION 


FAILURES 


AND REPAIR 


Fault-tolerant flight control 
system descriptions 
Airline descriptions 
Economic factors 
Optimization controls 
Simulation initialization 
Benefits description 


PERFORM 

ECONOMIC 

ANALYiSiS 



CHANGE 

MAINTENANCE 

RESOURCES 


YES 


YES 


OUTPUT 

RESULTS 


YES 

/MAXIMUMv. 

DETERMINE 


EXAMINE 

^6NFIGURATIOr 

)S4< 

PROFIT 

\^UND^-^ 

NEXT SET 
OF INPUT 
VARIABLES 

4 - 

RESPONSE 

SURFACE 

SAMPLE 


Figure 3. Simplified Cost Benefit Optimization Model 


14 












5.1 EQUIPMENT DESCRIPTION 

Part of the model accepts and contains the user-supplied configuration description. 
For a given range, this description defines the reliability and maintainability 
characteristics of softvvare, firmware, and components that forma stage. Other user 
inputs are the acceptable combinations of stages that form line-replaceable units 
(LRU); dependencies among components, stages, and LRUs; the dispatch-critical 
components; and the turnback and diversion complement of each defined component. 
Characteristics of non-FTFCS equipment that compete for the same maintenance 
facilities as the FTFGS must also be defined, but are fixed from an optimization 
standpoint. Further information on the link lists used for design definition is provided 
in Section 5.2.4. An experimental PASCAL program was developed to demonstrate 
that the recordkeeping function can be performed while simulation of failures is in 
progress, 

5.1.1 Evaluation Scenario 

Part of the model accepts and contains the operating conditions to optimize the 
FTFCS design. These conditions are; (1) a description of airplane schedules, fleet 
size, and route structure; (2) the initial location of maintenance resources; and (3) the 
number of shifts to be used. Economic analysis constants (such as wage rates, the 
price of fuel, and inflation rates) are built into the model, but will change with an 
overriding user input. 

5.1.2 Operations and Maintenance Simulation 

A Monte Carlo simulation is the preferred, if not the only, means of predicting FTFCS 
operating costs. The rationale for using the Monte Carlo simulation instead of a closed- 
form analysis method is provided in the following paragraphs of this section. 

Approximate analyses of a hypothetical fault-tolerant multiprocessor (FTMP) 
performed during this study show that small design changes can significantly affect 
spares quantities and airplane delays (appendix IX). Therefore, two important model 
attributes must be an ability to accurately: (1) predict the spares to be provisioned, 
and (2) represent the incidence of delays. 

The quantity of spares provided is a function not only of the equipment characteristics 
of failure rate, repair time, and cost, but also of airline characteristics of operating 
hours, penalties of stockouts, route structure, shipping costs, and maintenance policy. 
Since one of the consequences of a stockout may be an airplane delay or cancellation, 
spares costs and delay costs are not independent. In turn, delays are a function of a 
number of probabilistic events, including; 

• Airplane scheduled ground time 

• Reliability of equipment 

• Visibility of failures 

• Deferrability of failures 

• Availability of mechanics with the right skills 

• Availability of spares and test equipment 

• Ability to fix the problem at the first attempt 

The lack of independence between spares costs and delay costs, and their stochastic 
nature make a closed-form analytical cost optimization virtually Impossible without 


15 


decoupling and assumptions for which there is no validity test. Appendix IV deals 
further with this point. 


As un alternative to a closed-form optimization, the Monte Carlo simulation repre- 
sents a relatively straightforward, feasible method of producing an effective model. 
Complex stochastic airline processes, with and without dependencies, can be readily 
represented and, with a comprehensive, validated model, simplifying assumptions can 
be made for improving its efficiency and can be checked if computer running time 
becomes a problem. 

As noted in Section 4.2, several available simulations were reviewed for possible 
incorporation into the CBDOM, but none was found suitable for FTFCS optimization. 
The existing simulations did not treat equipment repair in adequate detail and were 
not capable of being used in an optimizing mode without considerable modification. 
Therefore, a new simulation, specified in Section 5.2, is proposed with the ability to 
consider both fixed resources (for model validation against airline actuals) and optimi- 
zable resources. 

Four simulation languages were reviewed for suitability during Phase 1: Formula 
Translation (FORTRAN), GASP, General Purpose Simulation System (GPSS), and 
SIMSGRIPT. SIMSGRIPT was selected because of its economic programming, flexible 
output, easily checked structured code, and compatibility with existing FORTRAN 
programs proposed for use in other parts of the model, 

The algorithms for the proposed simulation, provided in Section 5.2, consist of an 
English language description of the airline operations. This language translates 
directly into SIMSGRIPT code, as illustrated by the following examples; 


English Language 


SIMSGRIPT 


Each LRU enters a prioritized queue on 
arrival at the repair facility. Gomponents 
demanding immediate repair are placed on 
a shortage list and given top priority. 


FOR EAGH JOB IN 
Q1 WITH PRTY = 3, 
GALL INTERRUPT 
GIVING JOB 


Overtime labor is used to alleviate repair 
backlog whenever the backlog is 15 or 
more LRUs. 


IF N.Ql GE 15 
SGHEDULE AN 
END. SHIFT IN 3 
HOURS JUMP AHEAD 


The simulation clock is to be a variable-time advance based on the spacing of discrete 
events such as flights, failures, or repairs that are simulated. For instance, the 
SIMSGRIPT statement "SCHEDULE A FAILURE GIVING TYPE AND UNIT IN 
EXPONENTIAL. F(MTBF(MEMORY),3) HOURS" selects a random sample of time to 
failure from an exponential distribution with a mean = MTBF for component of type 
MEMORY using a random number generator with a seed of 3. Using this technique, it 
is possible to build a model that simulates the stochastic processes associated with 
operating the FTFCS with considerable fidelity and economy. Two programs were 
developed to gain experience in the use of SIMSGRIPT and to assist in a preliminary 
FTFCS sensitivity study. They are described in Appendixes VII and VIII. 

Appendix VIII illustrates the relative economy of developing a simulation, compared to 
the complexity of the closed-form solution that seems to be typical of fault-tolerant 
systems. Appendix VIII provides an example of the use of simulation for reliability 


i 'j 


t 




0 








16 


aiuilysis that had not been contemplated at the beginning of this program and is now 
considered to bo a viable analysis metliod. 

5.1.3 Economic Analysis 

Information generated by the O&M simulation (such as labor hoursi delay hours, and 
spares required) will be translated into dollars. They will then be combined with input 
cost data (such as the equipment and installation investment costs or weight or drag 
savings and penalties) so that cumulative cash flows and profit can be generated for 
the configuration of system and operating conditions being evaluated. The costs and 
benefits to be included in the analysis are listed below. 

• Benefits 

• Increased range 

• increoscd payload 

• Better ride quality 

• Investments 

• Installed equipment 

• Rotatable spares 

§ Expendable spares 

• Ground equipment 

• Special tools 

• Test equipment 

• Training equipment 

• Other 

• Operating costs 

• Maintenance labor 

• Maintenance material 

• Maintenance burden 

• Spares holding 

• Maintenance training 

• Fuel/ weight/drag 

• Delays/cancellations 

• Airplane insurance 

• Debt financing 

• Other 

• Retirement 

• Salvage costs 

• Salvage credits 

• Taxation 

• Investment tax credit 

• Depreciation credit 

• Income tax payments 


17 



The profitability of a design concept Is determine/^ by summing the costs and benefits 
for a given configuration or, in the case of a design comparison, by using differential 
costs and benefits between alternatives. The Airline Cost Estimating System (ACES) 
computer program described in Appendix H provides the capability to perform most of 
the economic analysis required. Modifications to ACES to make it compatible with 
CBDOM requirements are provided in Section 5.3, along with details of algorithms 
already progro m med. 

5.1.4 Optimization 

The variables to be optimized for maximum airline profit consist of two groups. The 
first group is those variables timt produce maximum profit for a given FTFCS config- 
uration, including.* 

• Niimber of mechanics with specified skill levels 

• Number of spares 

• Quantity and effectiveness of automatic test equipment 

• Number of test benches 

• Locations of the above items 

The second group of variables to be optimized are characteristics of the FTFCS design 
and could consist of: 

• The number of replicated components, stages, LRUs, and software packages 

• Packaging alternatives (ranging from everything packaged in a single LRU to 
individual packaging at a physically indivisible level or down to a noneconomical 
level) 

• Time between inspection and scheduled replacements 

111 addition to the optimizable FTFCS characteristics, the user always lias the option of 
changing input to the model for such things as; 

• Remove, replace, and repair time 

• Component, stage, and LRU investment cost 

• Weight, drag, and fuel price 

With user control of these variables, the sensitivity to errors in inputs estimated can 
be established. 

Several methods of optimization were considered, including; 

• Heuristic search— Repeated guesses at input values are made until a good 
solution is found. 

• Complete enumeration— This is considered impractical until sufficient work has 
been performed to reduce the number and range of variables involved with 
FTFCS. 

• Nonlinear simplex search— This is an iterative way of efficiently seeking 
optimum values of the input variables. 



The nonlineor simplex techniquoi developed by Nelder end Mead^^*^), oi^ears to be the 
onl^' satisfactory approach (sec. 5.4). It provides an effective way to reduce the 
number of Input variable design points to be simulated and permits efficient optimisa- 
tion. As a result of using this technique! the analysis is controlled by the optimisation 
routine shown in Figure 4, 



For continuous w§r|abl«, a responsa hypersurfaca In ) + 1 dlmaniioni is ganaratad, 
and for discrete variablas, a | 1 dimansional lattice is produced, 

4. The Analysis and Optimization .Method 


5.1.5 Model Simplification 

Until some realistic FTFCS configurations have been analyzed and different mainten- 
ance strategies examined, it is difficult to determine If all the features that could be 
built into the CBDOM are justified. However, it is proposed that, in the interests of 
economy, some simplifications be made initially. The model incorporates the follow- 
ing simplifications that might be removed subsequently in Phase II or III, If considered 
desirable: 

• The proposed CBDOM provides for simulation of a fixed fleet size. 

Rationale-Fleet buildup generally takes less than a third of the fleet life. 
Developing a scheduling model for a fleet that builds up at a realistic rate would 
probably entail substantial work and could be accomplished later if it Is consider- 
ed necessary to prove that buildup is a second-order effect. Buildup is consid- 
ered a second-order effect because maintenance labor costs per flight hour, 
which generally peak in the second or third year of operation, occur when the 
fleet size is relatively small (table 1). Therefore, a solution is to assume that 
mature and stable costs apply to all years. 

The O&M simulation will be structured so that it can be expanded to allow for a 
varying fleet-size calculation. The provision would necessitate changing several 
inputs yearly, including: 

• Fleet size 

• Route structure 

• Cities served 

• Schedules 

• Station characteristics 


19 






Table 1, Multiplier factors to Convert Stable Maintenance Costs to Costs per Hour 
During Each Year (ref, k) 


Y«ar i(nc« start of oparatlon 



1 

2 

3 

4 

6 

6 

7 and on 

Airframe 








Labor 

0.70 

1.06 

1.18 

1.14 

1.00 

1,00 

1.00 

Matarial 

0.98 

1.21 

1.16 

1.06 

. 1.00 

1.00 

1,00 

Powerplaru 








Labor 

1.46 

1.68 

1.60 

1.32 

1.14 

1.00 

1.00 

Malarial 

0.98 

2.06 

1,96 

1.83 



1,60 

1,31 

1.00 


• Accidents will not be simulated. 

Rationale—Although flight diversions and accidents are high-cost events, they 
are infrequent on today’s airplanes and should be less so with FTFCS airplanes. 
Fop instance, if the FTFCS is designed to achieve a failure probability of less 
than i0"9 for a XO-hr flight, then for an accident with cost consequences includ- 
ing litigation of $1 billion, the effect is as little as $0.10/flight hour and can be 
neglected. 

• Realistic simulation of events following a cancellation or diversion is difficult. 
However, their economic effect will be approximated using a cost penalty, 
calculated as shown under CN and DT in Section 5.3.3, based on the loss of the 
discrepant flight and all subsequent flights to the end of the day. The simulation 
schedule of flights then will be completed as though no interruption had occured. 

Rationale— In practice, the decision to use a substitute airplane or cancel a flight 
involves complex decision logic based on the experience and intuition of teams of 
airline schedulers. An unknown, but certainly large, amount of work would be 
required to establish and model the rescheduling logits to account for 
cancellations or diversions anu would entail an ability to dynamically reschedule 
airplanes in the CBDOM. 

• Software and firmware will be assumed to have reliability and maintainability 
characteristics similar to hardware. 

Rationale— The analyst will be able to treat software packages and modules as 
though they were hardware by providing failure rates and ’’repair times," along 
with a statement of dependencies that can include hardware or other software, 
as provided for in Section 5.2.4. If future failure models for software evolve 
that are significantly different from the failure generator described in Section 
5,2.5, the CBDOM could be changed to accommodate this evolution. 

• Spares pooling and borrowing will not be included in the model. 










Rationale— The development of a spares pooling and borrowing model is a major 
task in its own right, For Pan American Airways, only 8 percent of flight control 
system spares used by lino stations are pooled Items, The extent of borrowing 
has not been estoblishcd, but is known to be no-cost reciprocal agreement 
among several airlines. However, the maximum benefits obtoinable from pooling 
may be established by using the CBDOM for a fleet and route structure equal to 
the pool-size fleet. This would assume pooling of XOO percent of the spares 
stocked, 

S.2 OPERATIONS AND MAINTENANCE SIMULATION 

No 0<ScfVl model was found that was suitable for use in the FTFCS, and the model 
specified in this section must, therefore, be created. The Monte Carlo simulation of 
O&M generates the cost statistics in terms of personnel, materials, spares, airplane 
downtime, delay time, and ground-support facilities used to operate and maintain a 
given configuration of FTFCS. The simulated functions will Include: 

• Operations 

• Airplane selection for dispatch 

• Preparation for flight 

• Flight and failure generation 

• Maintenance 

• Maintenance after flight 

• Equipment repair and replacement 

• Postmaintenance validation 

The FTFCS is allowed to impact the airline’s scheduled service by superimposing 
FTFCS failures on a simulated airplane fleet. 

The user can investigate alternative operations, maintenance, and repair scenarios by 
specifying model inputs that characterize **ie airline configuration of interest. Inputs 
specified by the user for airline operatio.i and maintenance include; 

• Route structure 

• Existing station characteristics 

• Potential location of FTFCS resources 

• Scheduled maintenance policies 

• Unscheduled maintenance and repair characteristics 

• Probability of isolating failures by testing 

• Removal rates for repairable and expendable units 

The configuration of an airUbB's operating and maintenance system is to be specified 
by selecting appropriate values and options for the available inputs. For example, the 
location of maintenance facilities within a selected city network and the staffing 
policy for each facility impact the eventual airline performance resulting from a 
simulation run. Similarly, the impact of delays within the system and the ability to 
mitigate their consequences are heavily dependent upon the flexibility of the particu- 
lar schedule chosen and the choice of logic options for handling airplane substitutions. 
To ensure the reasonableness or compatibility of user-supplied inputs to the model, 
data check and verification procedures will be incorporated. 


21 


Since it would be unrealistic to consider the downtime and delays attributable only to 
the F'rPCS, the whole airplane will be divided into three areas of interest: 

• The FTFCS 

• Other avionic systems 

• The remainder of the airplane 

Dividing the airplane in this way allows the FTFCS and other avionics to contend for 
the same resources and permits the masking of delays due to the FTFCS with other 
delays of the airplane and vice versa. 

Timely repair and repositioning of serviceable avionics equipment impact the overall 
effectiveness of the airline to meet schedules and, ultimately, total system operating 
cost. Repair of avionics equipment, including FTFCS components, is to be simulated 
in detail in the O&M model. The intent is to duplicate the procedural flow of repair 
tasks conducted by a commercial airline. Repairable components and LRUs are sent 
to the most appropriate repair shop from field locations where they are judged faulty. 

The O&M model provides output of the resources used in conjunction with each given 
configuration of airborne equipment. Typical output data produced by the model will 
consist of: 

• Maintenance labor hours by equipment and skill level 

• Expendable materials used 

• Number of spares required for different LRUs and repairable components by 
station 

• Frequency, length, and cause of airplane delays 

t Unscheduled airplane downtime due to cancellations 

• Equipment utilization hours 

• Equipment transportation between stations and supplier repair facilities 
3.2.1 Airplane Scheduling 

Before running the O&M simulation model, the user selects an "airline itinerary": a 
set of cities for air service, the route structure for connecting each city, and a flight 
schedule for each airplane in the fleet. The user has two options for accomplishing the 
input of an airline itinerary in the O&M model. An airline itinerary model may be 
selected from an itinerary in use by an existing airline or the user can manually enter 
data for a network of his own choice. The latter option can be a tedious task for a 
large, interconnected network. Nevertheless, the option is available for users having a 
specific network in mind and the detail necessary to describe it. To facilitate use of 
the O&M model, a set of prespecified airline itineraries will be provided. These 
itineraries are internal to the model and selected to represent a spectrum of domestic 
and U.S. flag carriers, both passenger and freight, produced by extraction and edit of 
data from the Official Airline Guide (OAG)o5), 


The OAG is used to develop airline itineraries and schedules for the simulation model. 
The primary data file, PATH BASE, is maintained by Reuben A. Donnelley 
Corporation, a Dunn and Bradstrect company. The OAG defines monthly airline 
schedules, which are easily accessed from magnetic tape, providing a current and 
complete source of flight information for all airlines and airplane types. 

The process of assembling airline routes and schedules from the information contained 
in the OAG tapes is illustrated in Figure 5. The first step is to extract all flight 
records for the airline and airplane type specified in the input. This is done by the 
Edit Program, which also checks data integrity and, if some schedule inconsistency is 
discovered, provides diagnostic printouts to facilitate manual data editing. Then, the 
Itinerary Reconstruction Program continues the process by ossembling individual flight 
legs into airplane itineraries, using the appropriate flight leg designations in the OAG 
code. The next step is to connect itineraries into partial tours, using the Routing 
Program, which creates sequences of itineraries characterized by relatively short 
turnaround times between successive itineraries. A sample of the output is shown in 
Figure b‘. 



Figure 5. Production of Simulation Itineraries and Schedules 


To complete the airplane routing process, an additional route cycle generation pro- 
gram must be developed. This program will assemble partial tours into complete tours 
in which each airplane’s path can be traced from the beginning to the end of its route 
cycle. The algorithm to be used will be similar to the Airline Crew Scheduling 
Program subroutine described in Reference 16. The basic approach is to prepare lists 
of partial tour arrivals and departures, organized according to arrival and departure 
times. This organization ensures that arrivals can be linked to successive departures 
in a way that satisfies the input constraints and the objective of the minimum possible 
total airplanes. 


23 









Itinerary 

numbers 


Cities 


Siuccessive arrival and 
departure time (time* 
week, 0.01 hr) 


@ DTW ORD 
XsWa 5700 

SEA 

5800 

POX HNL 
5998 


>6283 

652% 

HWL PDX 

SEA 

ORD DTU 





77% 1 

7816 

7881 

8108 

866% 

8733 

8926 

95 DTW ORO 

SEA 

PDX HNL 





6190 8100 

8200 

6398 

8525 

6591 

8683 

892% 

9% HNt ITO 

PDX 

SEA ORD 

01 W. 




9195 927% 

11155 1152B 

9350 

10150 

10216 

10281 

10588 

1106% 

95 DTW ORO 

SEA 

POX HNL 





10500 10500 

1 0600 

10798 

10925 

10991 

11083 

1132% 

9% HNL PDX 

SEA 

ORD DTW 





11733 125%! 

12616 

12681 

12908 

15%6% 

15533 

13728 

95 DTW ORD 

SEA 

PDX HNL 





15300 15300 

15%00 

15598 

15725 

15791 

15883 

1612% 

9% HNL PDX 

SFA 

ORD DTW 





-16535 5%1 

616 

681 

908 

1%6% 

1533 

1728 

95 DTW ORD 

SEA 

PDX ITO 

HNL 




12900 12900 
13751 1387% 

13000 

15198 

13325 

13391 

13%83 

13716 

9% HNL POX 

SEA 

ORD DTU 





l%135 1%9.%1 

15016 

-15061. 

15508 

1586% 

15933 

16126 


t j! 


Q 


Figure 6. Sample of Partial Tours in Output From Route Generator 




The computational procedure for the Route Cycle Generator is outlined in Figure 7. 

The first step is to prepare for each city a list of partial tours that originate and 
terminate at that city. These lists are sorted in ascending order of time (departure 
times for originating tours and arrival-plus-turnaround times for terminating tours). 0 



Figure 7. Computational Procedure for Route Cycle Generation 




24 









The next step is to link arriving tours to subsequent departing tours at each city by 
means of the algorithm shown in Figure 8. This algorithm is based upon the first-in- 
first-out (FIFO) rule, and the results are consistent with the requirement for minimum 
fleet size. 

The method used to relate the number of airplanes required to departure schedules is 
based on the assumption that the schedules are cyclic either on a daily or weekly basis. 
This method is described in the rest of this section, 

Let the number of airplanes stationed at airport (i) at time (t) be represented by N[(t), 
and let M(t) represent the number of airplanes en route between airports. The total 
number of airplanes in the fleet is ?N|(t) + IVI(t). It may be assumed that at t = 0, 
which is the beginning of the schedule cycle, all airplanes are on the ground and M(0) 
- 0. Thus, the problem of determining fleet size is equivalent to evaluating the sum 

?N.(0). 
i 1 

The function Nj(t) will be referred to as the "airport activity function." The relation- 
ship between this function and the departure and arrival times can be described by the 
following equation: 

Nj(t2) - Ni(ti) = Ai(ti,t2) - Di(ti,t2), t2 > ti 

where Ai(ti,t 2 ) and Di(ti,t 2 ) are the numbers of arrivals and departures, respectively, 
in the time span from ti to t 2 . 

The flowchart of an algorithm to determine numerically the value of NjiO) for a given 
set of arrival and departure times is shown in Figure 9. First, a list of night numbers 
F{ 4 is prepared at each airport in which the minus sign indicates departures, while the 
lacK of a minus sign indicates arrivals. Let Ty represent the departure time for 
outgoing flights and arrival-plus-turnaround time for incoming higiut*. The set (Fj j) 
is ordered in increasing time sequence so that Tj|,j+l > Tj^j. Let represent the 
number of airplanes just prior to the j-th flight. Then, * 

^i,j “ ^i>j“l ^i,j ^ ® 

^i>j <0 

Starting with an arbitrary initial value Kj^i, the recursive use of these equations will 
yield a set of values Let K* represent the minimum value in the set (Kj j), By 

setting Ni^j - Ki, ine resulting set (Nj j) will satisfy the condition that all of its 
members are non-negative; that is, Njj > u. Thus, the initial value of the airport 
activity function is given by: 

Nj(0) = Kj,i - K? 

By the summation of Nj(0) over all cities in the network, the minimum number of 
airplanes required to satisfy the schedule is obtained. 

The last step in the computational procedure outlined in Figure 7 is to assemble the 
completed tours. This is done by tracing partial tour linkages from city to city until 
each tour cycle is identified. Output from the route cycle generation enables the 
FTFCS configurations to be evaluated and optimized by the CBDOM. 


25 


ORIGINAL PAGI It 
OF POOR QUALITY 





O 


f I 


i: .1 


Figure 8, Algorithm for Linking Partial Tours 


26 










ORIGINAL PAGE IS 
OF POOR QUALITY 


C 


r- 




I 


lr\ 

■■i'V 



Figure 9. Algorithm for Determining Fleet Size Nj (0} 

5.2.2 Substitution and Cancellations 

Interchanging the position of the airplanes within the airline itinerary is allowed in the 
O&M model only at the day's end or before daily flight operations begin. To be candi- 
dates for Interohttnge, both airplanes must be located at the same city; i.e., they both 
remain overnight at the same location. 

A primary reason for allowing interchange is to expedite maintenance actions on one 
or more airplanes. For example, assume that some maintenance action is required on 
Airplane 4 in Table 2. Also assume that the maintenance must be undertaken at 
Chicago (ORD), but is deferrable for I day. Airplane 4 could interchange itinerary 
positions with Airplane 8 to facilitate the required repair. The model logic determines 
interchange possibilities and executes them if necessary and feasible. 


27 








ORIGINAL PAGE IS 
OF POOR QUALITY 


Table Z Sample Airplane Itinerary for Day 1 


Airplane 

number 

Itlnerarv 

1 

LGA 

ORD 

TOL 

ORD 

LGA 

ORD 

TOL 



2 

TOL 

ORD 

LGA 

ORD 

TOL 

ORD 

LGA 



3 

LGA 

ORD 

MBS 

ORD 

LGA 

ORD 

DTT 



4 

DTT 

ORD 

LGA 

ORD 

DTT 

ORD 

LGA 



5 

LGA 

ORD 

CID 

ORD 

CID 

ORD 

SFO 

ORD 

LGA 

6 

LGA 

ORD 

DTT 

ORD 

MBS 

ORD 

LGA 

ORD 

LGA 

7 

LGA 

ORD 

MBS 

ORD 

LGA 

ORD 

DTT 



8 

DTT 

ORD 

LGA 

ORD 

CID 

ORD 

SFO 

ORD 


9 

Two nights at ORD 








10 

ORD 

CLE 

ORD 

DEN 

ORD 

DEN 

ORD 

CLE 


11 

CLE 

DEN 

SLG 

DEN 

CLE 

ORD 

DEN 

ORD 


12 

ORD 

CLE 

ORD 

DEN 

ORD 

DEN 

ORD 

CLE 


13 

CLE 

ORD 

LGA 

DEN 

ORD 





14 

ORD 

CLE 

ORD 

DEN 

ORD 

DEN 

ORD 

CLE 


15 

CLE 

ORD 

LGA 

DEN 


ORD 




16 

ORD 

CLE 

ORD 

DEN 

ORD 

DEN 

ORD 

CLE 


17 

CLE 

ORD 

LGA 

DEN 

SFO 

DEN 

ORD 



18 

Two nights at ORD 








19 

ORD 

TOL 

ORD 

DEN 

LGA 





20 

LGA 

ORD 

SFO 

ORD 

DEN 

ORD 




21 

ORD 

TOL 

ORD 

DEN 

LGA 





22 

LGA 

ORD 

SFO 

ORD 

DEN 

ORD 




23 

ORD 

TOL 

ORD 

DEN 

LGA 





24 

LGA 

ORD 

DEN 

ORD 

DEN 





25 

DEN 

ORD 

DEN 

ORD 

LGA 





26 

LGA 

ORD 

LGA 

ORD 

DEN 





27 

DEN 

ORD 

DEN 

ORD 

LGA 

ORD 




28 

ORD 

LAS 

ORD 

CID 

ORD 

LAS 




29 

LAS 

ORD 

LGA 

ORD 

LGA 

ORD 




30 

ORD 

LAS 

ORD 

CID 






31 

CID 

ORD 

LGA 

ORD 

DEN 

SLC 




32 

SLC 

DEN 

ORD 

SFO 

ORD 

LGA 

ORD 




It has not been possible to develop a method of simulating the events following a flight 
cancellation. In the real world, schedules for a number of airplanes may be changed to 
close the gap left by a failure that results in cancelled flights. Also in the real world, 
one or more nonrevenue repositioning flights may be required following a cancellation. 
Further work is required in the proposed Phase II of this program to establish the cost 
consequences of cancellations and a recovery method, so that the correct cost penalty 
can be applied to a simulation model cancellation. In the interim, a cost penalty will 
be based upon loss of all flights from the cancelled flight to the end of the day. The 
cost penalty will be calculated using the expression for CN described in Section 5.3. 
The airplane then will continue as though no cancellation had occurred. 


5.2.3 Line Maintenance and Repair 

As each airplane cycles the airline tiinerary, opportunities for maintenance are encoun- 
tered. Scheduled maintenance actions are built into the itinerary. For example, note 
the entry for Airplane 9 in Table 2. It is scheduled to spend 2 days and nights at ORD. 
During this time, maintenance actions are undertaken to make all airplane systems 
current and operable. 

Unscheduled maintenance is performed as necessary, depending on the resources and 
time available. The user is required to select, as input, the types of maintenance 


28 




conducted at each airport in the network, the available manpower by skill level, and 
the loeation and staffing of the repair facility. 

Line Maintenance--Three levels of station maintenance resource are to be selected by 
the CBDOM user and allocated to each city on the route according to the following 
definitions: 

• Type 1— Has no maintenance resources. Maintenance at Type X stations is 
accomplished by requesting assistance from the nearest Type 2 or 3 station. Re- 
placement parts, personnel, and equipment will be flown in from the nearest 
station with available resources. 

• Type 2— Has a single personnel resource pool with mechanics capable of perform- 
ing all unscheduled line maintenance and scheduled work for T-checks (transit) 
and A-checks (see appendix I for definitions). 

• Type 3— Has one personnel resource pool for gate positions and one for the 
hangar, each operating independently. Gate personnel per form unscheduled work 
and all checks through A, Hangar personnel perform B- and C-checks. 

The logic for operation of a typical Type 2 or 3 station is shown in Figure 10. 

The user may specify the skill levels to be provided at each Type 2 or 3 station by 
combinations of the following options: 

• Skill 1 mechanics are capable of performing any maintenance on the airplane 
associated with replacement or adjustment of avionic equipment, including 
FTFCS. 

• Skill 2 mechanics are capable of performing any maintenance on the airplane 
associated with replacement or adjustment of mechanical equipment. 

• Skill 3 mechanics are required for testing, inspection, and repair of unserviceable 
avionic equipment except specified FTFCS equipment. 

• Skill 4 technician/programmers can accomplish Skill I and 3 work. In addition, 
they are required for changes to software, firmware, and checkout of changed or 
modified FTFCS equipment. Skill 4 personnel will receive recurrent training 
every 6 months on FTFCS maintenance. (However, it remains to be seen if the 
FAA will permit airlines to perform such changes.) 

Line maintenance actions are generated for each FTFCS LRU as shown in Section 
5.2.5. If a nondeferrable fault is detected at a city with insufficient resources to 
rectify the fault, appropriate resources are flown to that city. In actual practice, 
airlines accomplish this using other scheduled carriers, chartering a flight, or relying 
upon their own flight schedule for delivering the necessary resources. Charter and 
competitive airlines are not included in the OacM model. Consequently, to simulate 
expedient repair of such a disabled airplane, a time distribution sample is used to 
determine the length of time it takes to position the required resources where needed. 
All resources used in this way are accounted for and their availability is tracked. For 
example, if two mechanics are repositioned from Ch mgo to some remote location, 
the model decrements Chicago's number of available mechanics by two until the work 
is complete and they return. 


29 


ORlOlNAL PAQIEJJ 



Figure 10. Typical Line Station Logic 


30 













Scheduled maintenance of an airplane is conducted in the O^M model during 
B-, and C-checks. The maintenance activities covered by each of these checks are 
described in Appendix !. T-^hecks are conducted daily and are short checks made on 
an airplane whenever it stops at an airport that has maintenance manpower. A-, B-, 
and C-checks are conducted as a function of elapsed flight hours for each airplane. 
The model user will be able to specify the form of these functions us input to the 
model. For examplet the user can specify that A-checks can occur sometime between 
50 to too flight hours after any previous letter check. The model then schedules each 
airplane's A-check within this time frame. 

The time required to complete each letter check is a random variable and is deter-^ 
mined in the model by a draw (a random sample drawn from a characteristic proba- 
bility distribution). The type of draw will depend on the resources available for 
conducting the letter check. For example, if four qualified mechanics are available to 
conduct an A-check on a particular airplane, the duration of the task will be longer 
than Q situation in which six mechanics are available to conduct the A-check. The 
model will track resource availability and allocate manpower to minimize delay. 

B-checks are made less frequently than A-checks, but are more extensive, taking 
longer to complete. However, A and B-checks can be completed during an overnight 
layover if sufficient manpower is available. C-checks take longer than overnight to 
complete. The airline itinerary allows for this by including an extended layover at 
appropriate maintenance facilities. As each airplane in the fleet cycles through the 
airline itinerary, it has a maintenance opportunity when this layover is encountered. 

Unscheduled maintenance requirements occur in the O&M model when previously gen- 
erated faults to the airplane are detected. The procedure for generating, detecting, 
and recording faults to the airplane is discussed in Sections 5.2.4 and 5.2.5. In general, 
repair to some detected faults is deferrable until a maintenance opportunity, e.g., a 
scheduled letter check or overnight at a qualified maintenance facility. Deferrable 
faults are corrected at the first opportunity to complete the required maintenance 
action. Workload requirements for correcting these faults are in addition to any 
scheduled niaintenance actions. The faults generated by the model are repaired either 
in series with, or parallel to, ongoing maintenance activities. For example, if qualified 
mechanics are available in addition to those making an A-( 2 heck on the airplane, the 
model-generated faults are repaired during the time an A-check is under way. If 
sufficient mechanics are not available, then the A-check schedule time is exceeded. 

Nondeferrable faults must be repaired before an airplane can resume service. Non- 
deferrable faults have repair priority over other repairs if schedule delays are 
imminent. If nondeferrable faults are detected at a location not staffed with qualified 
mechanics, mechanics are transferred to repair the defect. Mechanics sent to put an 
airplane back in service are dispatched on a priority basis with respect to the current 
workload. 

Repair Shop Maintenance— The repair shop model simulates the test and repair of the 
avionic equipment used aboard an airline's fleet. 

Two classifications of repairable avionic equipment are modeled. One classification is 
used to represent the FTFCS components that have failed in the O&M model. These 
FTFCS components are individually tracked from the time they are removed from the 
airplane to the time they arrive at the repair shop. 


Asecon<j clossification, termed ”all other avionics,” represents additional components 
that are repaired in tlie modeled shop. This collective category contributes most of 
the workload in the repair shop. Arrivals of all other avionic components at the repair 
shop are generated in the model by a draw from a user-selected distribution. Draws 
from additional distributions establish individual repair eharacteristlcs of avionic 
components arriving for repair. 

The repair model is governed by repair shop input data and will be based upon line 
station sitnulation, actual airline operational data, and estimates for FTFCS oquip- 
ment. These include items such as frequency distributions for arrivals of repairable 
components at the repair shop, repair time distributions, working hours and shifts, and 
overtime rules. Figure 11 illustrates the generalized logic flow of the model's avionic 
equipment repair tasks. 

Repair priority is another characteristic influencing any component's flow through the 
repair shop, Three repair priorities are used in the model: 

• P3— highest priority (used for airplanes on the ground) 

• p2—intermediate priority (used for interrupted tasks) 

• PI— lowest priority 

FTFCS components receive a repair priority based on line station demand. 

When each non-FTFCS component arrives, it Is assigned a repair priority by a draw. 
The value of a component's repair priority is used in the model to establish its position 
within any queue. P2 components queue ahead of PI components and behind P3 
components. Repair priority P3 is used for components requiring immediate repair. A 
P3 value allows the component to interrupt an ongoing test or repair of a component 
with lesser priority. Any component Interrupted by a P3 component is assigned a P2 
value for tlie remainder of its time in the repair shop. 

In addition to repair priority, each arrival is assigned a prerepair test time, a repair 
time, and a postrepair test time by draws from separate distributions. Two additional 
draws are used to describe the individual components. The first draw determines if 
tlie component's fault is confirmed upon pretest. The second draw establishes whether 
the fault was repaired after the component had passed through the repair cycle. 
Components with faults that are unconfirmed at pretest are treated as being repaired 
and fully functional. Components failing the postrepair test are treated like new 
arrivals and are required to undergo an additional cycle through the repair shop. 

Two types of test equipment are used by the repair shop: automatic test equipment 
(ATE) and manual test equipment. Input to the model specifies which type of test 
equipment is required by each FTFCS component. Some components, notably those 
represented by the category "all other avionics," can use either type of test equip- 
ment. In these cases, the applicable test equipment is decided in the model by means 
of a draw. The outcome of the draw determines if an individual component requires 
ATE. This information then accompanies the component as it passes through the 
repair shop. 

Two contrasting repair flows are distinguished in the model, depending on the type of 
test procedure (ATE or manual). Equipment is not repaired while on ATE, Rather, 
faulty equipment is transferred to a repair bench, which contains a modest amount of 
manual test equipment, and most of the necessary parts for isolation and repair of 
faults uncovered by the ATE. This procedure frees the ATE bench and is adopted 


lint 




nepAiH 5H0I' 
nbSOUHCE 


OieCK STOCK 
UVEUAOO'I 
AND ESTAflUSM 
OEPAiRi>nioniTy 


-’^OTHIW ^ 
STATION 
SUPPLY AND 
S^DEMANILx 


^ PARTS 
AVAILASLE 
V > /NO 


HAS \ 

PAIIITnFPM\ T6S 

. I50LATBP / 


PARTS ^ 
HEQUinEO 
V r . 


OUEUi FOR PARTS 


ASSIGN TEST 
TIME 


PERFORM 

INTERRUPT 


ASSIGN REPAIR 
TIME ANO SKILL 
LEVEL 


PERFORM 

INTERRUPT 


/"TEST\ 
BENCH 
AVAILABLE 
\ / 


INTERRUPT 
^ t 


^ MAN \ 

3F RIGHT SKILCS^Ii/ 

>^vailable/II1X 

? ^/''^LINE^ 

I demands] 

VMS I N- 


interrupt 

^ 


QUEUE FOR 
TEST BENCH 


COMPUTE 
REMAINING TIME 


QUEUE FOR 
MECHANICS 


OVERTIME 

REQUIRED 


PERFORM TEST TO 
SHIFT END PLUS 
YES OVERTIME 
>— ^ ALLOWED CH 

completion or 

INTERRUPT 


OVERTIME 
REQUIRED 
V 7 


PERFORM TASK TO 
SHIFT END PLUS 
OVERTIME 
ALLOWED OR 
COMPLETION OB 
INTERRUPT 







* 

PERFORM TEST 
TO SHIFT END 
OH COMPLETION 
OR INTERRUPT 





TO SHIFT END 
OR COMPLETION 
OR INTERRUPT 

nr 


compute LNO/ 

REMAINING TIME 


TEST ^ 
COMPLETE 
V 7 ^ 


TASK 

COMPLETE 
\ 7 / 


/5ELF-\ 

TEST 

^APABILIT^ 
\ 7 / 


OTHER ^ 
STATION 
SUPPLY ANO 
V DEMAND ^ 


/^RETURN TO> 
SPARES POOL 
vTHIS STATION. 


2 I TeiNppfoo or lin«, to 


Figure 1 1. Repair Shop Logic 


33 













because of the relatively high Investment cost of ATE. An exception to this procedure 
occurs when o component's repair time is small. In this case, the repair is conducted 
at the ATE bench, followed immediately by an ATE postrepair test on the component. 

Components not using ATE are tested and repaired at dedicated test benches that 
contain the test equipment necessary for manual test and repair of avionic 
components. 

Overtime labor is used to alleviate repair backlog, component stockout, or P3 repairs. 

The repair task is completed when the component is dispatched to a specified location 
or placed in inventory, 

5.2.4 FTFCS Equipment Definition and Failure Status Recording 

This section describes the method to provide formal computer-compatible descriptors 
of the candidate FTFCS. The descriptors can be used to Input and to track failure 
status of equipment in the O&M simulation. In addition, the descriptors provide 
storage for some data used only in the economic analysis. 

For purposes of definition, the FTFCS will be divided into physical and functional parts 
and groups of parts. The fundamental FTFCS building block is called o "component,” 
The collection of all FTFCS components will be called the "system,” Within the 
system, similar components will be members of sets to be referred to as "stages." 
Finally, the current collective condition of all components within the system shall be 
known as the system "state." A component (or components) that may be easily re- 
placed by line-station mechanics is called a "line-replaceable unit" (LRU). Definitions 
of the above terms as they apply to the cost optimization are as follows; 

a Component— An FTFCS component is a repairable or replaceable part or a group 

of parts. Its fundamental characteristic is that the CBDOM user determines it 
to be one of the basic FTFCS units, from a cost-optimizing point of view. Thus, 
an FTFCS component is an important, definable part (or indivisible collection of 
parts) with a known failure rate and failure effect. Examples of possible FTFCS 
components are; processor, memory, clock, sensor, actuator, bus, display, 
software, and firmware. 

a Stage— Identical interchangeable components are called stages. Identical means 

that all members of a stage are the same type of component and have the same 
failure rate. 

• System— The system is composed of a series of all of the stages, each stage 
containing similar components. 

• State— The system state consists of a current "snapshot" of the system, Tliis 
"snapshot" reveals; 

• The arrangement of components into stages 
a The number of failed components per stage 

• The components that have failed 

• Each stage's dispatch-critical complement 

• The LRUs in which the failed components are located 

• The components that are due for regularly scheduled maintenance 


34 



• Line-Replaceable Unit (URU)— A unit that can be readily changed on an aircraft 
during line maintenance operations. 

The ptiysical and functional parts of the FTFCS can be represented using a linked-list 
data structure. This enables a record to be kept of functional failures and physical 
LRUs or components that are replaced or repaired by maintenance. Figure 12 illus** 
trates typical physical and functional groups. 

During siinulation of the FTFCS operation, component failures are generated and the 
stage failures are recorded. For example, the system shown in Figure 12 might allow 
dispatch with up to two failures in any stage. A further failure in this stage necessi- 
tates maintenance. Maintenance takes place on an LRU, not a stage, unless the stage 
is packaged as an LRU. 

A PASCAL program was produced during this study to gain experience with linked-list 
data structures. Figure 13 shows a typical record output from the program in which 
Power Supply 9 of Stage 5 in LRU 2 fails, causing a number of dependent components 
to fail as well, including Processor 9 of Stage 1 in LRU 2. 

The model checks the FTFCS status to determine if the dispatch requirements for the 
particular station can be met, as shown in Figure 14. As well as recording FTFCS 
status, additional input data are required to simulate maintenance and perform eco- 
nomic analysis. The data for each component may be interactively built into an input 
file and include: 

• Type 

• Quantity 

• Weight 

• Package type (card, chip, box, etc.) 

• Coat 

• Dispatch-critical complement 

• Turnback and diversion complement 

• Failure rate 

• Fixed overhaul letter-check code and frequency (e.g., 3B equals every third S- 
cheqk) 

• Percentage of failures detectable (by letter-check) 

• Test-time distribution 

• Removal time 

• Repair-time distribution 

• Replacement time 


35 



Line replaceable 
units (LRU's) 


ADQnn ~ 

*■' '■ "» I— . ■■X U / » I component 



Figure 12. Physical and Functional Component Sets 



36 










ORIGINAL PAGE 18 
OF POOR QUALITY 


0 


0 

0 


0 


0 


>»» SIAOE 6 

rWR SUPPLY STAGE • 

NUMBER OF COMPONENTS I 10 • 

CRIT. DISPATCH NUMB. I 6 • 

PACKAGE ; PC BOARD * 

NUMBER OF PACKAGES I 1 • 

FAILURE RATE ; 0.75 • 

«****«****•«• •«••*****«*•• 

>»» CONTENTS ««< 0 

.•«**M*««*M**M.«M*#**«*M 0 


PHR SUPPLY 10. LRU 1 • 

STATUS : IDLE • 

NEAT COMP -PWR SUPPLY t * 
DEPENDENT MODULES - * 

COHTROLLERIO • 

INNER BUS 10 * 

PWR SUPPLYIO • 

CLOCK 10 • 

10 PORT 10 * 

MEMORY 10 * 

PROCESSOR 10 * 


PHR SUPPLY 9. LRU 2 
STATUS : FAILED 
NEXT COMP -PWR SUPPLY 
DEPENDENT MODULES • 
CONTROLLER 
INNER BUS 
PWR SUPPLY 
CLOCK 
10 PORT 
MEMORY 
PROCESSOR 





• 



* 

PWR SUPPLY 8. LRU 4 


* 

STATUS ; ACTIVE 


• 

NEXT COMP -PHR SUPPLY 7 


* 

DEPENDENT MODULES ■ 


* 

CONTROLLER 8 



INNER BUS 8 


• 

PWR SUPPLY 8 


• 

CLOCK 8 


• 

10 PORT 


* 

MEMO' 


* 

pp 



. I »>>> STAGE I 


PROCESSOR STAGE 
NUMBER OF COMPONENTS s 10 
CRIT. DISPATCH NUMB. : 6 
PACKAGE ! PC BOARD 
NUMBER OF PACKAGES : 1 
FAILURE RATE ; 0.75 


>»» CONTENTS ««< 


PROCESSOR 10. LRU 3 
STATUS : IDLE 
NEXT COMP -PROCESSOR 9 
DEPENDENT MODULES - NONE 


PROCESSOR 9. LRU 2 
STATUS : DEPENDENT FAIL 
NEXT COMP -PROCESSOR 8 
DEPENDENT MODULES - NONE 


PROCESSOR 8. LRU 6 
STATUS ! ACTIVE 
NEXT COMP -PROCESSOR 7 
DEPENDENT MODULES - NONE 


PROCESSOR 7, LRU 7 
STATUS : IDLE 
NEXT COMP -PP'** 
DEPENDENT ' 


Figure 13. Example of Simulation Record Keeping 


37 



ORIGINAL PAGE 18 
OF POOR QUALITY 


LRU 1 

LRU 2 

LRUS 

LRU 4 

LRU 5 

PROC 

CLK 

I/O 

MEM 

PWR 

BUS 


PROC 


CLK 


MEM 

I/O 


I/O 


• Current itate 


Stage 

Number 

good 

Number 

failed 

PROC 

3 

2 

CLK 

3 

2 

I/O 

2 

3 

MEM 

3 

2 

PWR 

4 

1 

BUS 

4 

1 


• Station critical dispatch requiramanti 


Stage 


PROC 

‘ 3 

CLK 

3 

I/O 

3 

MEM 

3 

PWR 

3 

BUS 

3 


Fix before 
fli^t 


Figure 14. Comparison of FaulFTolerant Flight Control System State 
and Specified Station Dispatch Requirements 

After developing the PASCAL program, it was found that the declaration of set 
relationships and data structures for FTFCS equipment definition and status recording 
is relatively simple using SIMSCRIPT, For instance, relationships can be established 
by means of SIMSCRIPT statements such as: 

THE AIRPLANE OWNS THE FTFCS 

EVERY LRU OWNS A GROUP.OF.STAGES 

EVERY STAGE HAS AN IDENTIFICATION.NUMBER, 

A DISPATCH.MINIMUM.COMPLEMENT, 

A TOTAL.FAILED, OWNS A PROCESSOR AND A POWER SUPPLY 
AND BELONGS TO A GROUP.OF.STAGES, 

AND AN FTFCS 


The declaration defines classes of objects having similar properties and permits data 
retrieval from computer program variables such as IDENTIFICATION.NUMBER 
(STAGE). The value of IDENTIFICATION.NUMBER will be found in Word 1 of a 
STAGE record. TOTAL.FAILED(STAGE) would be updated as the simulation proceeds 
and failures are generated as described in Section 5.2.5. 

5.2.5 Removal-Generator for the Operations and Maintenance Simulation 

One method of simulating removals of FTFCS LRUs is to provide a failure generator 
based on a simple arrangement with components of a given type, in parallel, forming a 
stage and with stages connected in series. 

Rationale— Until a better reliability model is developed, the O&M simulation will 
approximate realistic maintenance demands and queues for resources. Simplification 
in this manner means that the dispatch-critical complement of equipment required for 
flight must be determined in some other way, probably using CARE III, when it is fully 
developed. 


38 




























The probability of removing an LRU can be established using terms of a binomial 
I expansion as follows: 

If Nj = full dispatch complement of Component Type i (user input or model 
variable) 

and K| = minimum dispatch complement of Component Type i (user input) 
then Rj = probability that a dispatch can be made after a total of t flight hours 
f without i '?pair to any Type i components is given by: 


Nil) 

Bin “2 

Nil)! (p»»(x)) 

q>.<N<i} - X) 


x»K(i) x! 

(N(i) - X)! 


1 

where; 

p - reliability of one Type i component 


1 

I 

1 

b 

f 

\ 

I 

- e**(- fa(t)dt) 
q = 1 - p 
a = hazard function 
t = flight time 
e = 2.71828 





The combinatorial expression for Rj is valid only when all components of an LRU start 
out with zero time after repair or the hazard rate is constant. 

If R(SYS) is the probability that a dispatch is possible without maintenance to the 
system, then for J different stages where a stage consists of identical components of 
Type i, R(SYS) is given by: 

J 

R(SYS) = 7T R(i) 

i=1 

and the probability of removal is given by 1 - R(SYS). 

The combinatorial failure generator provides a method of simulating LRU removals, 
but does not provide a method of simulating repairs or replacement of components 
within the LRU. This problem is addressed in Appendix VIII, where a closed-form 
solution and a SIMSCRIPT simulation solution are provided and are in good agreement. 
As a result of these comparisons, a failure generator of the type provided in the 
SIMSCRIPT program of Appendix VIII is proposed. 

5.3 ANALYSIS OF INVESTMENT AND OPERATING ECONOMICS 

The parameters to be used by the model for purposes of optimization are the present 
equivalent value of total costs and benefits (TCB) and return on investment (ROI), 


39 


wliicli ure defined in Section 5.3,1. Total costs and benefits, simply slated, are the 
result of procuring, operating, obtaining benefits from, and disposing of a product and 
are expressed as follows; 


TCB - rc + OC + TA + RCC + OB 
where; 

TCB - total costs and benefits (sec. 5,3.1) 

IC = investment costs (sec. 5.3.2) 

OC = operating costs (sec. 5.3.3) 

TA = tax adjustments (sec. 5.3.4) 

RCC = retirement costs and credits (sec. 5.3.5) 

OB = operating benefits (sec, 5,3.6) 

The convention is adopted that money received is positive (+) and money paid out is 
negative (-). 

5.3.1 Cost and Benefit Measurement Parameters 

Investment opportunities may be mutually exclusive (choosing one option rules out all 
others) or independent. For example, optimization of FTFCS eliminates all but the 
best alternative, which is the mutually exclusive choice. Possible use of surplus 
FTFCS computer capacity for add-on functions, such as engine monitoring or 
navigation, presents independent choices. 

For mutually exclusive alternatives produced by different sets of optimization input 
variables, the scheme selected should be the one that meets a minimum attractive 
rate of return (MARR) criterion and has the maximum present equivalent value of 
TCB. Where one of the mutually exclusive alternatives must be chosen, such as fauit- 
tolerant or conventional flight controls, the question to be answered is "for which 
scheme is an investment difference from a chosen baseline scheme most justified?" 
For mutually exclusive alternatives, the selection will, therefore, be on the basis of 
the cost/benefit differences from the baseline scheme (the one with minimum invest- 
ment cost). In this case, consideration of the costs and benefits of a single scheme is 
not appropriate, but the differential ROI must exceed the MARR. 

For Independent alternatives, the alternatives that meet the MARRs are ranked in 
order of descending ROI. Selections then are made from the top of the list until the 
desired amount of capital has been invested. Selection criteria are shown in Table 3. 


Table 3. Investment Decision Alternatives 



Study type 

Absolute costs and benefits 

Cost differences from baseline 

Mutually exclusive alternatives 

(not appropriate) 

O 

Select minimum investment scheme 
unless additional investment in alter- 
natives exceed minimum attractive 
rate of return, in which case choose 
minimum total cost scheme (y 

Independent alternatives 

Rank by decreasing return on invest- 
ment and select off the top until 
capital is exhausted or minimum 
attractive rate of return is reached 

(as for (D ) 







Rationale—The primary purpose of the CBDOM is to optimize design by evaluating a 
scries of mutually exclusive alternatives. However, the ability to assess the desirabil- 
ity of the optimized design compared with other independent uses for investment 
capital also is required by an airline making investment decisions and, therefore, is 
included in this discussion. 

The steps in performing the economic analysis are as follows; 

Step 1— Using the details for given FTFCS configurations, calculate the cash paid out 
or received for each year the equipment is owned. 

Step 2— Add up the costs and revenues for each year, keeping each year separate. 

Step 3— Calculate the present equivalent value for each year's payments and receipts 
from the formula: 

PEVTCB (J) = TCB(J)/(1 + MARR(J)/100)»*J 


where: 

iVlARR = percent minimum acceptable rate of return (the rate that 

just meets the investor's threshold of acceptability) 

PEVTCB (J ) = present equivalent value of all payments, benefits, and 

receipts in the Jth year of operation defined in Section 5.3 

TCB(J) “ total costs and benefits for year J 

J = number of years from start of operation (J = 0 is the 

first year of investment and operation) 

Step 4— Steps 1 through 3 are repeated for each design alternative. If subscript K is 
used to denote the design alternative (e.g., K = 1 is the first design scheme, K = 2 is 
the second), then: 

PEVTCB (J,K) = the present equivalent value of cost of ownership or the sum of 
all receipts and payments in the Jth year for the Kth design 
alternative 

PEVIC(J,K) - the present equivalent value of investments made in the Jth 
year for the Kth design alternative 

PEVIG(J,K) = IC(J,K)/(a + MARR(J))**J) 

Step 5— As a basis for comparison, choose the design alternative with the lowest 
present equivalent value of investment cost. For this design alternative, let K = 
KMIN. For the case where cash benefits are not separately identified, the costs of 
each scheme can be compared. If the scheme with the lowest present equivalent value 
of total investment cost is denoted by KMIN, then; 


EROI(NY,K)-100^ 


NY 

S 

J“0 

PEVTCO (J.KMIN) 

NY 

"2 P6VTC0(J,K) 
J"0 

JL 

N^ 

.-1 

NY 

NY 


1 

PEVIC (J.K)- 2) 

PEVIC (J.KMINI 


. J«0 

>0 

•< 



( 1 ) 


where: 


EHOI (NY,K) =the extra return on investment (the amount by which ROI 
exceeds MARR) through a period of NY years (expressed as a 
percent) for Scheme K compared with the scheme requiring the 
minimum investment (Scheme KMIN) 

Note that if the numerical value of the inner term of this equation is between 0 and 
1.0, the EROl is negative, and if the inner term is negative, the NYth root is 
imaginary. For both cases, the EROl (NY,K) must be calculated from the expressioii 
below where NY is a positive integer; 


ERO((NY,K)»-100 


NY 

r 

j=0 


NY 

r 

J-O 


NY 

PEVTCO (J.KMIN) -2 PEVTCO (J.K) 
J=0 
NY 

PEVIC (J,K) - 2 PEVIC UKMIN) 
J=0 


JL 

NY 



(2) 


Rationale—lt is not always clear from examining the input data if a given design will 
produce a positive EROl or, for that matter, a positive net terminal return. There- 
fore, provisions for calculating negative EROIs has been made by assuming a symmet- 
rical relationship for positive or negative ROI for the same absolute value of cash 
flow. Equations (1) and (2) also can be used to determine the internal rate of return 
(equal to the value of MARR for which the EROl = 0). The formula also can be used to 
determine the net terminal return on investment by making MARR = 0. With a com- 
parison of independent alternatives, those with the highest EROl are chosen until an 
investment of the desired size has been made. For mutually exclusive alternatives, 
the preferred scheme is the one with an EROl greater than 0 and the highest value of 
net terminal cash: 


NY 


NY 


2 PEVTCB (J.KMIN) - PEVTCB (J,K) 

J=0 J=0 

When cumulative benefits are separately identified for each case, then an EROl can be 
calculated using Equations (1) and (2), with all terms involving Scheme K set to zero. 

Step 6— The payback point (PP) is calculated by incrementing J from its starting value 
until the year JXis found in which the EROl changes sign from its last negative value. 


PP 


(JX - 1) + 


-EROl (JX - 1) 


EROl (JX) 


EROl (JX - 1) 


where: 


= payback point in years from the start of operation 

- tiie year in which the extra return on investment changes sign 
from its last negative value 

= the last negative value of EROI 

= the next positive value after the (JX “l)th value of EROI. 

At the start of the first year of operation, the EROI = 

- 100 %.) 

It is possible that, within the study period (NY), there are multiple payback points. If 
the maximum EROI does not occur after the last payback point, a study should be 
made to determine replacement costs and a replacement strategy. 

Rationale--Several airlines use payback point. After reviewing the draft model 
requirements by the airlines, payback point was offered as an alternative decision 
criteria. The use of MARR= 0 also can be used to provide a payback point in terms of 
number of years required to recover the investment in actual cash rather than present 
equivalent value cash. 

5.3.2 Investment Cost Definitions 

Investment cost (IC) is the cost of all properties and funds required for an airline to 
set up a business. Investment costs (IC) provided for FTFCS evaluation consist of: 

IC = ICAP + ICRS + ICES + ICGS + ICST + ICTM + OTHER 

where: 

ICAP = airplane parts procurement and installation 

ICRS = rotatable spares investment 

ICES = expendable spares initial stock 

ICGS = ground support equipment 

ICST “ special tools and test equipment 

ICTM = training equipment 


PP 

JX 

EROI (JX - 1) 
EROI (JX) 


I 

Inflation or deflation of any IC not specified by means of a lookup table will be at a 
standard user-supplied rate (default value = 8 percent per year). 

ICAP— The cost of procuring and installing parts on an airplane consists of the price 
charged by the parts supplier plus the installation costs multiplied by a profit markup 
factor for the airplane manufacturer. 

In addition to the profit markup, new airplanes are subject to a 5 percent progress 
payment schedule for each of seven quarters before delivery. Thus, the prepayments 
have the effect of increasing the airplane price by a factor of 1.06 when progress 
payments are converted to a present value at 15 percent MARR. With the ACES, the 
user can change the default values of profit markup and prepayment factors. The 
ACES takes the price per part and quantity per airplane from the data provided as part 
of the FTFCS component, stage, and system description (sec. 5.2.4). The installation 


43 


cost per part, in first year of operation dollars, also is provided by the user as part of 
the FTFCS description. Prices are inflated to other years in which investment takes 
place using Table 4 or an inflation factor supplied by the CBDOM user. 


Table 4. Materia! Inflation Percentage 


Year 

Material increase 
ovt»r the previous 
year (%) 

Year 

Material increase 
over the previous 
year (%) 

■a 

— 

1969 

4.4 

■ii 

0 

1970 

6.1 

1961 

0.4 

1971 

2.8 

1962 

-0.4 

1972 

2.9 

1963 

0.1 

1973 

&4 

1964 

1.7 

1974 

10.0 

1965 

2.0 

1975 

1&0 

1966 

2.8 

1976 

7.5 

1967 

Z3 

1977 

5.2 

1968 

Z9 

1978 

8.6 


ICRS— The cost of rotatable spares is the product of the cost per unit in a given year 
times the quantity required. Quantity will be derived from the O&Msitnulation, which 
will be initialized by a spares-provisioning program in the ACES. The spares- 
provisioning program uses a technique developed by G. Black and F. Proschan(l*^) under 
Signal Corps Contract DA-36-039-8C-75012. This program produces the minimum IC 
quantities of spares from the possible alternatives to achieve a user-specified 
probability of no stockout of any item in the kit. However, the provisioning routine 
contains no allocation logic to determine how the quantities of spares provisioned 
should be distributed around an airline network. In addition, the cost penalty of a 
stockout is not included in the method of optimization. 

In the CBDOM, the existing ACES spares routine will provide a good first estimate of 
the spares required. The spares quantity then will be optimized for maximum airline 
profit by allocating spares in quantities determined by the CBDOM response surface 
exploration described in Section 5,4. Thus, spares will be positioned at stations 
specified by the model user in optimum quantities defined by the CBDOM. Locations 
for spares will normally match those used by the airline being represented. If FTFCS 
spares are located at a new location, the user must supply estimates of IC associated 
with setting up the new location and any cost incremental to the standard spares 
holding cost (see sec. 5.3.3— Operating Costs). Table 4 is used by ACES for inflation or 
deflation of spares from specified year prices. 

ICES— This is the cost of providing an initial stock of expendable spares. Materials 
that are consumed are charged as an operating cost and accounted for under 
Maintenance Material Operating Cost (MM). It is necessary to invest in a sufficient 
stock of expendable materials to take care of periods of heavy demand and to take 
care of the time between placing a replacement order and receiving a delivery. An 
empirical methodt^®) that is used by several airlines and has been used in ACES is as 
follows: 

To calculate expendable spares investment, perform the following steps: 


44 









step 1—Calculate the annual usage cost (MM) in dollars as shown below. 

Step 2— Inflate or deflate MM to 1977 dollars. 

Step 3— Enter Table 5 and determine the number of months of supply (NMS) to be 
initially provisioned. 

Step 4— Arrive at the investment cost, ICES, by applying the following formula: 
ICES = MM X NMS/12 
where : 

MM = maintenance material cost per year per fleet 
NMS = number of months stock from Table 5 


Table 5. Material Stock Levels 


1977 dollars 

Number of months 
stock (NMS) 

$ 0 - 199 

$ 700 - 499 

$ 500 - 999 

$1000 ^ 3000 

Over $3000 

12*month stock 
6>month stock 
4<month stock 
?-month stock 
1 -month stock 


Annual usage cost can be calculated from the formula; 

MM = (NA X UTIL X QPA x FR/1000) x CU 
where; 

MM == maintenance material cost per year per fleet 
NA = number of airplanes in the fleet 
UTIL = utilization in flight hours/year /airplane 
QPA = quantity of the item per airplane 

FR = unit throwaway rate per 1000 flight hours for the average flight 

length being considered 

CU = cost per unit or item 

For the CBDOM, ACES will be modified to allow the user to override the values in 
Table 5. 

Rationale— Table 5 is based on work by R. H. Wilson(19) and considers the cost of 
replenishment and the cost of holding stock to determine an economic order quantity. 
If a significant number of FTFCS parts turn out to be expendable, a more appropriate 
algorithm would have to be developed to include penalties of stockout. Optimization 
of stock would be effected by determining the maximum profit stock level using tlie 
optimization technique described in Section 5.4. 


45 



ICGS-^'llie cost of ground support equipment includes the procurement cost of stands, 
slings, Jigs, fiKtui'es, tools, gages, jacks, servicing rigs, test equipment, vehicles, and 
anything used for maintaining, overhauling, repairing and testing airplanes, engines and 
rigging flight conti’ols. Such items are designed for use with any airplane type, or they 
become special items and should be included In ICST below. Thus, ICGS would include 
general-purpose automatic test equipment (ATE), 

ICST—llie cost of special tools and test equipment includes equipment that con be 
used only on one airplane or equipment type. General-purpose equipment is to be 
included in ICGS. 

ICTM— I1)is is the investment cost in training equipment for such items as students' 
notes, models, movies, and training aids. Flight simulators may require modification 
for different configurations of fault-tolerant systems, and modifications are included 
as a port of ICTM in such a case. 

Provision in ACES for including investment costs for buildings, ramp equipment, and 
maintenance manuals will be eliminated. The first two items are irrelevant for FTFCS 
and die last item is normally included in the purchase price, ICAP. 

5.3.3 Operating Cost Definitions 

Operating costs (OC) consist of all costs associated with operating on airline. Several 
new cost categories will be provided in ACES to accommodate the detail provided by 
the 0<5cM simulation output. The definitions below identify costs that are design 
dependent. Costs such as spares holding, delays, and cancellations do not correspond 
to the Civil Aeronautics Board (CAB) Form 41 cost breakdown. Operating costs are 
defined as the sum of the cost entities below; 

OC= Mhh + MSL + MM + SSC + MB + OS + MT + FCT + SH + FCR + 

DC + CN + DT + CDS + CLP + TCE + TCP + OTHER 

Where : 

• Labor-related operating costs 

MLL = maintenance line labor 
MSL - maintenance shop labor 
MM = maintenance materials 
SSC = shop and servicing supplies 
MB = maintenance burden 

• Other operating costs 

OS = outside services 

MT = maintenance training 

FCT = flight crew training 

SH = spares holding cost 

FCR = fuel cost reductions 

DC = delay costs 

CN - cancellation costs 

DT = diversion and turnback costs 

CDS = debt servicing 

CLP = lease payments 


46 


TCE s equipment transportation costs 
TCP = personnel transportation costs 

Inflation or deflation of any operating costs not specified by means of a lookup table 
will be at a standard user-supplied inflation rate (default = 8 percent). 

Labor-Related Operating Costs— Include MLL, MSL, MM, SSC, and MB as discussed 
below. 

MLL— Maintenance line labor cost consists of the compensation paid to all personnel 
engaged In line maintenance of any type, plus the employee insurance, fringe benefits, 
and pensions that are not directly included in compensation. Subroutine MLABOR of 
ACES requires modification to accept output from the O&M model instead of input 
from the user. Maintenance line labor is to be calculated as follows: 

RAGE 

MLL » 2 i(ML(J) X MLBF x MPW) 4- (MLOTiJ) X MLOR)) x BPMH (J) 

J«*0 


NS 

ML (J) « 2 <WHL (J,S) X SLF (S)) 

S»1 

NS 

MLOT (J) - (MHLOT (J,S) x SLF IS)) 

S»1 

where; 

MLL = maintenance line labor cost in dollars for all J years 

summed from J = 0 to the retirement age (RAGE) in 
years 

ML(J) s maintenance line labor for the Jth year for regular time 

in hours (simulation output) 

MLOT(J) = maintenance line labor overtime for the Jth year 
(simulation output) 

BPMH(J) = base pay /labor hour for year J (see table 6)^20)^ dollars 

MLBF = maintenance labor fringe benefit factor 

= 1.0 (to be included in burden, MB) 

MPW = maintenance hours paid to worked ratio 

= 1.0 (to be included in burden, MB) 


47 



r«6/l9& B»m Pty (Mf Labor Hour 


Year 

Bale $/labor hour 
(BPMH) 

Year 

Bate $/labor hour 
(BPMH) 

1962 

3.28 

1971 

6.97 

1963 

3.43 

1972 

6.54 

1964 

3.57 

1973 

7,10 

1965 

3.72 

1974 

7.62 

1966 

3.83 

1975 

a46 

1967 

4,19 

1976 

9.10 

1966 

4.31 

(1977) 

9.99 

1969 

4.71 

(1978) 

10.87 

1970 

5,59 

(1979) 

11.64 


Not«; R«f 0 r«nc« CAB Sch«dut« P10 Form 41. Ytari in partnthtiM ar« tttimatai, sinca 
reporting ttoppad in the third quarter of 1977. 


MLOR 

MHL(J,S) 


SLF(S) 


MHLOT(J,S) = 


ratio of overtime to base pay BPMH(J) 

labor hours line in the Jth year for the Sth skill level 
obtained as output from the l:<ne maintenance simulation. 
MHL(J,S) for fractions of a year must be multiplied by 
365/days simulated. 

skill level compensation ratio for skill level S of NS 

compensation for skill level. S(J=0) 
compensation base rate, CPMH(J=0) 

overtime labor hours line in the Jth year for the Sth skill 
level obtained as output from the line maintenance 
simulation. MHLOT(J,S) for fractions of a year must 
be multiplied by 365/days simulated. 


MHLOTF(J,S) 


iMHmTfi V overtime compensation rat 

' ’ ' ^ regular time compensation rate 


MSL— Maintenance shop labor is calculated in the same way as MLL, except that 
MHL(J,S) and MHLOT(J,S) are changed to MHS(J,S) and MHSOT(J,S) wherever they 
appear and are obtained from the repair shop simulation. These changes affect 
subroutine MLABOR of ACES. 


MM— Maintenance materials is the total cost of maintenance materials plus expend- 
able parts purchased in a given year to replace those consumed. ' aintenance material 
usage is generated only in the simulated repair shops. Input to ACES from the 0(ScM 
simulation will be directly in units of dollars material cost per fleet per year in a 
specified year's dollars. Subroutine MMATER of ACES must be changed to accom- 
modate the alternative input, and inflation or deflation of specified year's dollar input 
will be in accordance with Table 7. Further work is required to validate and extend 
Table 7 for flight control system maintenance materials. 



T§bfe 7, Material Inflation Factors 


Ywr 

Inflation 

factor 

Malarial 

Incraaia* 

(%l 

Yaar 

Inflation 

factor 

liijPH 

1050 

0.6696 

'M* 

1960 

a6683 

MSM 

I960 

a66oe 

0 

1070 

a7000 

BiH 

1061 

aS719 

a4 

1971 

a7289 


1062 

aS696 

-a4 


a7600 

2.9 

1063 

0,5702 

0.1 

IS 

a7905 

&4 

1964 

0.5799 

1.7 

1974 

a8696 

10.0 

1965 

a5915 

zo 

1976 

1.0000 

15.0 

1966 

0.6081 

2.8 

1976 • 


7,5 

1967 

0.6221 

2.3 

1977 

■KgB 

6.2 

1968 

a6400 

ZO 

1978 

IB 

a6 


*Ov«r th« prtviout yiar 


SSC— Shop and servicing supplies cover the cost of supplies and expendable small tools 
and equipment used in maintaining, servicing, and cleaning property and equipment 
that cannot be directly assigned to a specific job or type of work* Because a cost- 
estimating relationship is not available for SSC, the analyst must estimate it using the 
"Other” cost category provided in ACES for input. 

MB— Maintenance burden (or overhead) is a total airline system-related cost that has 
been allocated back to airplane types. It is not an airplane- and engine-originating cost 
like fuel consumption or direct maintenance material consumption and is not a proper- 
ty of an airplane type as reported to the CAB. 

Total maintenance costs are divided according to CAB Form 41 into three direct 
charge accounts for airframe, engines, and other. An indirect account, burden, is 
further subdivided into a number of accounts, comprised as follows: 

• Labor for ground property and equipment 

• Material for ground property and equipment 

• Maintenance trainees and instructors 

• Unallocated labor 

• Communications personnel 

• Recordkeeping and statistical personnel 

• Purchasing personnel 

• Other personnel 

• Utilities (heat, light, power, water) 

• Outside services 

• Rentals 

• Shop, servicing supplies 

• Employee benefits 

• Payroll taxes 

CAB-reported burden is, in fact, an inseparable mixture of airline-sensitive and 
airplane-sensitive elements. Airline-sensitive elements include a very large number of 
independent and interdependent elements, among them being: 


49 
















• The mix of airplane types 

• Route structure 

• Geography end climate 

• Maintenance philosophy 

• Labor union contraetual provisions 

• Efficiency 

• Management intrastructure 

To compound the analytical problem, a great deal of latitude is inherent in CAB 

reporting requirements, so that tremendous differences exist among various airlines 
flying identical equipment. As deregulation continues, even this flawed (from the 
standpoint of making airplane comparisons) data base is likely to disappear. Given this 
environment, it would be tempting to ignore burden altogether. Yet, to do so would 
bias Comparisons. For example, a maintenance scheme that relies on rotatable spares 
and is, therefore, labor-intensive, would not be correctly compared with one that 
relies upon replaceable spares and is material intensive. In other words, one 
recognizes that there is a design-sensitive burden to be compared among designs, and 
this entity is what CBDOM attempts to handle. Design-sensitive burden, then, and 
CAB Form 41 burden are distinet entities. The former is appropriate to design 
comparisons; the latter is useful for assessing financial aspects of particular airline 
operations. Users of CBDOM are cautioned that these two types of burden are related 
only because they share some common terminology. This does not preclude the use of 
CAB data inferences vvhefe appropriate, such as labor fringe benefit factors and the 
ratio of support personnel to direct labor. 

Design-sensitive burden includes two major elements; 

• Labor burden 

• Labor and material for maintenance of ground property and equipment 

Spares holding cost, outside services, and shop and servicing supplies, which also are 
design-sensitive and normally included as burden in CAB Form 41, are separated out in 
the CBDOM under SH, OS, and SSC. 

Use of design-sensitive burden represents an improvement of the method currently 
used in ACES. The subroutine MBURDEN of ACES must be changed to replace 
maintenance burden by design-sensitive burden. 

Design-sensitive burden elements consist of: 

• Payroll taxes 

• Fringe benefits 

• Insurance 

• Pensions 

• Educational reimbursement 

• Nonproductive time 

• Vacations 

• Sick leave 

• Holidays 



50 


• Support; persoimel 

• Giiords 

• Custodians 

• Building tradesmen 

• Tool crib attendants 

• Administration 

• Timekeeping 

• Payroll 

Algorithms for labor burden follow, in the same order. 

• Payroll Taxes— Federal payroll taxes (FICA) will be opplied to direct wages at 
the 1979 rate of 6.13 percent, escalating at an additive rate of O.l percent/year 
after 1979. The State rate will be computed at 50 percent of the Federal rate. 
For a composite rate of 9.2 percent, escalating at 0.15 percent/year, the 
multiplicative factor is 1.092 + 0.0015/year aft<fr 1979. 

• Fringe Benefits According to CAB Statistics— The 1979 fringe benefit factor is 
1.23 X direct wages, escalating at 1 percent per annum, additive. 

* • Nonproductive Time— The ratio of total time to productive time is 2080/1870 » 

1.113. 

• Support Personnel— The best estimate of this is obtained from CAB Form 41 
data, which show that unalloeeied shop labor is equal to 20.0 percent of total 
burden. Since the average ratio of total burden to direct labor is 2.7:1, this 
category is equal to 2.7 x 20 percent = 54 percent of direct labor. The 
multiplicative factor is, therefore, 1.54. 

a Administration— Administrative costs are estimated as 1/2 percent of payroll. 

As nn example, for 1979 the overall multiplicative factor applied to direct labor is: 

1.092 X 1.23 X 1.113 X 1.54 X 1.005 = 2.314 

For 1980 the overall factor would be: 

(1.092 + 0.0015) X (1.23 + 0.01) x 1.113 x 1.54 x 1.005 = 2.335 

This implies that the labor-related charges account for (2.314/2.7) x 100 = 86 percent 
of total burden. 

Labor and Material for Maintenance of Ground Property and Equipment— The labor 
component comes to 3.75 percent of total burden, which averages 2.7 times direct 
labor} 2.7 x 3.75 percent = 10.1 percent of direct labor. This figure is supplied to guide 
the analyst who must input this cash flow for FTFCS into the CBDOM. 

• OS— Outside services will be used as a separate cost category for FTFCS 
equipment repaired by an associated or nonassociated company, Input to ACES 
will be from the O&M simulation in terms of ORPY, the number of total outside 
repairs by year; ORMH, the average outside repair man (labor) hours per repair; 


5 ! 



ORMM, the overage outside material cost per repair? and the year dollars 
associated with the material cost. A new subroutine is required in ACEIS for 
handling OS as follows: 

OS(J) - [(ORMH X BPMH(J) x OSB) -f (0 ,lMM(B) X MMF(J)] x 
ORPY(J) X OSPM 

where: 

OS(J) = outside services cost in dollars for year J for the fleet 

OllMH = average outside repair men (labor) hours per repair 

BPMH(J) = base pay per man (labor) hour (see table 6) (or year J 

ORIVIM(B) = average outside repair material cost per repair for the 
user-specified base year B 

MMF(J) = inflation/deflation factor to convert maintenance 

material costs from year B to year J. Factors are 
provided in Table 6. 

ORPY(J) ~ the number of outside repairs for the fleet in year J 

OSB = outside services burden factor (default - 2.335 for 1980) 
(see MB) 

OSPM =: outside services profit markup factor (assumed default = 
1.15). Further work is required to validate this value. 

Rationale— Outside services are included as a new element of ACES to permit 
determination of the optimum repair level for equipment. While outside service 
expenditure for the larger airlines is small, the use of outside services and 
facilities may avoid investment in infrequently used equipment or avoid 
shortages and delays due to an inability to handle peak work loads. 

• MT— Maintenance training consists of nonrecurrent and recurrent training 
associated with the introduction of new equipment. A method of estimating 
maintenance training cost has not been developed. 

• FCT— Flight crew training consists of nonrecurrent and recurrent training 
associated with the introduction of new or modified airplanes. A method of 
estiinating flight crew training cost has not been developed. 

• SH— Spares holding cost is the annual cost of holding rotatable and expendable 
spares and materials in stock, consisting of: 

• Warehousing 

• Recordkeeping 

• Administration of stocks and stores 

• Inventory taxes 

• Insurance 



52 


Spares holding cost can be estimated from the formula; 

Sll = SUP X (ICRS + ICES) X MMF/100 
whore: 

Sll = spares holding dollars per year per fleet 

SUP = spares holding cost percentage of inventory 

= 10 percent (a user override for SHP will be provided for 
the CBDOM) 

ICRS = rotatable spares investment 

ICES = expendable spares and material investment 

MMF = maintenance material inflation factor 

In the above expression, SHP (the holding cost as a percentage of inventory) is 
based on an industry-accepted figure of 25 percent, which includes ’’cost of 
capital." Since "cost of capital" is accounted for in the CBDOM by using present 
equivalent value accounting with an MARK of 15 percent, the residual holding 
cost is 10 percent. Of this 10 percent, approximately 25 percent is recordkeep- 
ing and administration. Recordkeeping and administration are included in 
maintenance burden in CAB Form 41 reports, but for design analysis have been 
separated out as a function of spares inventory value. Further work is required 
to verify the industry-accepted spares holding costs. 

• FCR— Fuel cost reductions due to eliminated weight or drag are to be separated 
from fuel cost penalties (FCP) resulting from weight and drag increases, but are 
calculated in the same manner, ACES does not currently provide for separation 
of costs and benefits, and a subroutine for this purpose will be added. Incre- 
mental fuel saved or burned is determined by the CBDOM user from airplane 
aerodynamic and engine performance data in units of weight of fuel burned per 
unit of incremental weight change per flight hour. Typical mission summaries 
are shown in Table 7, and the resultant incremental reduction or cost of weight 
are provided in Table 8 for the average flight lengths of Table 9. 

The fuel used/flight hour in Table 8 is accurate only for the average flight of 
Table 7. The exact determination of error in applying fuel used/flight hour based 
upon average flights to shorter or longer flights has not been established. 

FCR is currently calculated as shown below. User inputs can be changed to 
metric (KMS) units if preferred by NASA. 

FCR = FCPA X WIC X UTIL x NA x DG/PG 

where; 

FCR = fuel dollars change/fleet/year 
WIC = weight increment change, pounds 
UTIL = utilization in flight hours/airplane/year 


S3 


Table & Cost of Additional Airplane Weight, Bated on 3000 Flight Hours/Year 


Airplane model 

707.320B 

727-100 

727-200 

737-200 

747-200 

747SP 

Kilograms of fuel/ 
flight hr/kg of weight 

aOS636 

0.03707 

0.03964 

0.04688 

0.04978 

0.04969 

Weight of fuel/ 
additional weight/yr(kg| 

169.1 

111.2 

iia9 

14tt6 

149.4 

149.1 

Cost of 1 .0 kg 
wel^t/year 







3(Wgal 

16.69 

10.98 

11,75 

13.89 

14.75 

14.75 

4(Wgal 

22.26 

14.64 

15.65 

ia52 

19.66 

19.66 

50(i/gal 

27,82 

ia29 

19.58 

23.13 

24.58 

24.58 

6(M!/gal 

33.37 

21.95 

23.47 

27.76 

29.49 

29.49 


NA = number of airplanes in the fleet 

DG = fuel price, dollars /gallon 

PG = pounds/gallon of fuel (equals 6.7) 

FCPA = pounds of fuel consumed/pound of added weight 

(or saved/pound of reduced weight) /airplane/flight hour 

Fuel consumed because of drag (FCD) can be derived from the expression below. 
However, ACES requires the user to convert drag to a weight equivalent for use 
in the algorithm for FCR. 

FCD = FCPD X Die x UTIL x NA x DG/PG 

where; 

FCD = fuel dollars change/fleet/year 
Die = drag increment percent change 
UTIL = utilization in flight hours/airplane/year 
NA = number of airplanes in the fleet 
DG = fuel price, dollars/gallon 
PG = pounds/gallon of fuel (equals 6.7) 

FCPD = fuel consumed/1 percent increase in drag in kilograms of 
fuel/ flight hour 

= 36.28 kg of fuel/ flight hour for a 707-320B with 3.23 hours 
average flight length 


54 




Table d. Mission Summary 


Model 

707-320B 

727-100 

727-200 

737-200 

747-200 

747SP 

Engines 

JT3D 

JT8D-7 

JT8D-9 

JT8D-9 

JT9D-7A 

JT9D-7A 

Average flight (hr| 

3.23 

1.16 

1.11 

0.80 

5.38 

7,65 

Average flight (km)* 

2 576 

793 

734 

526 

4 637 

6618 

Payload (kg) 

8 437^ 

5307^ 

7 575*^ 

6 214^^ 

44 920® 

30 402® 

Reserves (kg) 

6 468 

4 536 

4 536 

3 175 

16 284 

14 515 

OEW (kg| 

64 864 

40 370 

45 359 

28 576 

170 006 

144 923 

Fuel consumed 
per flight (kg) 

13 376 

3 931 

4 073 

1 960 

57 565 

66 771 

Brake release 
gross weight (kg) 

93 145 

54 143 

61 543 

39 925 

288 485 

255 372 

Climb speed schedule 







U.S. rules 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

KEAS/Mach 

300/0.78 

280/0.75 

280/0.75 

280/0.65 

320/0.81 

320/0.81 

Cruise Mach 

0.78 

a80 

0.80 

0.72 

0.84 

0.85 

Cruise altitude (m) 

,1 887 

10 668 

10668 

9144 

10 668 

12 497 

Descent speed schedule 







U.S. rules 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

KEAS/Mach 

260/0.78 

280/a80 

280/0.80 

280/0.75 

320/0.81 

320/0.81 

Temperature 

Standard 

Standard 

Standard 

Standard 

Standard 

Standard 


day 

day 

day 

day 

day 

day 

Winds 

0 

0 

0 

0 

2 

0 


^Based on scheduled carrier data, cumulative through July 1974 for 707, 727, 737 and based 
on September 1974, September 1975 and September 1976 for the 747 

^Nominal 55% passenger load factor + cargo 
'^55% load factor with volume limit of cargo 

= 24.04 kg of fuel/flight hour for a 727-100 with 1.16 hours 
average flight length 

= 27.22 kg of fuel/flight hour for a 727-200 with 1.11 hours 
average flight length 

= 20.41 kg of fuel/flight hour for a 737-200 with 0.8 hour 
average flight length 

= 107.96 kg of fuel/flight hour for a 747-200 with 5.38 hours 
average flight length 

= 88.00 kg of fuel/ flight hour for a 747SP with 7.55 hours 
average flight length 


S5 








ACES will be modified to accept weights and fuel cost in KMS or foot, pound, 
second (EPS) systems. As with the formula for fuel burned due to added weight, 
the drag cost-estimating relationship is provided as an approximate guide. In 
studies where a more accurate answer is required or where drag represents a 
significant portion of total cost, a detailed performance analysis is required. 

• DC— Delay costs for the airplane are calculated in ACES by evaluating three 

tangible costs consisting of: 

• Passenger handling costs 

• Extra crew costs 

• Lost passenger revenue 

During Phase II, an airline survey is proposed to determine the values placed by 
airlines on loss of goodwill due to delays and to determine more exactly the loss 
of passenger revenue. In the interim, the following method is currently used by 
ACES: 


DC = (PHC + ECC + LPR) x SQA x DPC x ADM x UTIL x NA 
X DRCAAFLH x 6000) 

where ; 

DC = delay cost dollars/year /fleet 

PHC = passenger handling cost, dollars/seat delay hour 

PHC(76) = 0.2171 

ECC = extra crew cost, dollars/seat delay hour 
ECC(76) = 2.442 - 0.0038 SQS 


LPR = lost passenger revenue, dollars/seat delay hour 

LPR(76) = (LF X (27.5689 AFLH - 1.373) 

X 0.8712 EXP(0.0454 - 0.2271 AFLH))/ 

(1 + 1.3877 AFLH) 

SQS = seat quantity, standard for airplane type (see table 10) 


Table 10. Standard Airplane Seating 


Airplane 

Standard-quality 
seating (SQS) 

737-200/DC9-40 

115 

727-200 

131 

DC10-10 

270 

L-1011 

268 

707/DC8 

143 

747 

385 


k k 


I I 


o 


kJ 


‘i 'f 




0 


0 


56 



LFR 

load factor (decimal^ not percent) 

SQA 

~ seat quantity, actual 

DPC 

= delays/100 flights 

ADM 

= average delay time/delay (minutes) 

UTIL 

= utilization in hours/year/airplane 

NA 

= number of airplanes in the fleet 

AFLH 

- average flight length (hours) 

DRC 

= delay rate correction factor 


F X AFLH + 1 - F 
“ F X DAFL + 1 - F 

DAFL 

= average flight length (hours) associated with DPC 

F 

= flight hour/flight cycle factor for 1-hour flight from 
Table ll 


Table 1 1. Flight Hour/Flight Cycle Failure Factors by A TA S^terr} for a 1-hr Flight 


System 

Factor 

System 

Factor 

21 

Air conditioning 

0.58 

52 

Door 


22 

Automatic flight 

a59 

S3 

Fuselage 


23 

Communications 

a66 

54 

Nacelle and pylon 


24 

Electrical 

0.74 

55 

Stebilizers 

a49 

25 

Equipment and furnishings 

0.38 

56 

Window 

a9o 

26 

Fire protection 

0.25 

57 

Wing 


27 

Flight control 

0.92 

71 

Povverplant 


28 

Fuel 

0.94 

72 

Engine 


29 

Hydraulics 

a98 

73 

Engine fuel 


30 

Ice and rain removal 

a97 

74 

Ignition 

1.00 

31 

Instruments 

0.65 

75 

Engine air 

a29 

32 

Landing gear 

ai8 

76 

Engine control 

1.00 

33 

Lighting 

0.78 

77 

Engine indicators 

0.85 

34 

Navigation 

0.67 

78 

Exhaust 

0.45 

35 

Oxygen 

0.55 

79 

Engine oil 

a57 

36 

Pneumatics 

a26 

80 

Starting 

0.67 

38 

Water and waste 

a33 

82 

Water injection 

0.45 

49 

APU 

a90 

99 

Overall airplane 

a78 


Note: Based on an analysis of 727 commuter and regular operation. 


57 








Since DPC is no longer a user prediction based on historical delay data for a 
given historical flight lengthy but is derived from the 0&;M simulation, the delay 
rate correction factor DRC is not required and should be set toi 1.0 in ACES. 
The derivation of the above formulas is detailed in D6-40895-l^^^\ An abstract 
of Reference 21 is provided in Appendix XI, which shows the method of deriva- 
tion of delay and cancellation costs. The formulas in Reference 21 have been 
transposed to the forms above using the following relationships and appropriate 
inflation factors: 

S = (AFLH - 0.2)/1.93 
■ d = 0.4277 + 0.5867 x AFHL 


where: 

S = flight length in 1000s of statute miles 
d = hours after which a delay becomes a cancellation 

Inflation and deflation factors necessary to convert delay costs to other years 
are provided in Table 12 and are derived from CAB Form 41 reported pilots' and 
copilots' pay (Account 23) for major domestic carriers. 


Table 1Z Pilot and Copilot Pay Inflation Factors 


Year 

Flight crew factor 

1967 

a4847 

1968 

0.5485 

1969 

0.5960 

1970 

a6570 

1971 

a7040 

1972 

a7370 

1973 

a7737 

1974 

a8436 

1975 

0.9439 

1976 

1.0000 


Inflation factors for 1977 and on are calculated as shown below: 

FCF(J) = flight crew inflation factor for the Jth year of operation 

FCF(J) = (1 + (FCINF/100))’>*(YEAR + J - 1976) 

where: 

FCINF = flight crew annual inflation rate as a percentage 
= 8.0 percent for design studies 

YEAR = calendar year for the start of operation 


58 




• CN— Cfliiccllation costs consist of all the costs of a delay up to the time the 

flight is canecUed plus costs associated with loss of airplane use for the flight 
hours It Is out of service. Calculation of the delay cost portion of cancellations 
is bused on the average delay time preceding a cancellatlonf ADMC. 

CN = (CNDC + CNDL) jc CNPM x UTIL x NA/(1000 x AFLH) 

where : 

CN s cancellation dollars /year /fleet 

CNUC = cancellation delay, dollars/cancellation (see below) 

CNDL = cancellation downtime, dollars/cancellation (see below) 

CNPIVI = cancellations/1000 departures/airplane 

UTIL = utilization, flight hours/year /airplane 

NA = number of airplanes in the fleet 

AFLH = average flight length in hours 

• Cancellation, Delay Cost Contribution—For the above expression for CN: 

CNDC = (PHC + ECC + LPR) x SQA x ADMC x DRC/60 
where: 

ADMC = average delay minutes preceding cancellation 
= 25 + 35.2 X AFLH 

AFLH = average flight length in hours 

See DC (delay cost) for all other quantities. 

ACES requires changing to accept CNPM and ADMC as outputs of the 
0(ScM simulation. The algorithm for determining the value of ADMC as a 
function of flight length is no longer required and will become a user input 
for each station type. 

• Cancellation Downtime Loss Contribution—For the above expression for 
CN: 


CNDL(1972) = 0.003 x OEW x FHL 
where: 

OEW = operating empty weight, pounds 
FHL = flight hours lost 

It should be noted that the above does not include the costs of eliminating 
problems that cause the cancellation. Such problems, when mechanical, 
will be included in maintenance labor and material, ML and MM. ACES 
will be changed to accept OEW in both KMS and FPS units. 

• DT— Diversions and turnbacks will be simulated in the O&M simulation when 

equipment drops to a turnback-critical complement of components. A new 
subroutine is to be added to ACES to accommodate diversions and turnback costs 
as follows: 


59 


DTU977) = O.O067 x (517 AFLH - 103) x SQA x DTY X NA 
where j 

DT = diversions and turnback dollars/year/fleet (1977 dollars) 

AFLH = average flight length, hours 
SQA = seat quantity /airplane, actual 

DTY = number of diversions and turnbacks/airplane/year obtained 
from the simulation 

NA 5= number of airplanes in the fleet 

• CDS— The cash flow due to servicing, obtaining, and repaying debt is to be 

included in ACES. CDS includes all cash flows associated with debt, namely, 
receipt of a sum at time J = 0 equivalent to all investments made, interest 
payments (CIP) on the debt, and repayment of debt in the final year J = DEBTL. 

Since CIP can be deducted from income before taxes, it must be included as a 
term in XITAXP in ACES subroutine TAXCD and its present equivalent value 
calculated in subroutine CUMPEX. The income from unallocated debt funding 
will be neglected since it is nonexistent with a mature fleet size at the J = 0 
year and small for the more realistic fleet build-up case. For simplicity, a single 
debt repayment is assumed to be effected in the DEBTLth year. 

The following additional inputs to ACES are required; 

DEBTL = the term of the debt in years. The retirement age of equipment 
(RAGE) is to be used as a default for DEBTL. 

DEBTl = the percentage annual interest paid on the debt (default = 9) 

Interest payments in the Jth year are given by; 

CIP = ICSUM X DEBTI/100 

where; 


RAGE 

iCSUM » ICRS(J) ....... ) 

J=0 


where; 

ICSUM = sum of all investment costs 

CIP - interest payments (of equal size) for each year 

CDS(J) “ debt cash flow in year J 


60 



CDS(J) = -ICSUM + CIP} for J « 0 

s CIP; for J 3 1 to (DEim - 1) 
= ICSUM + CIP; for J = DEBTL 


where: 


DEBTL 

CDS - 2 

ft 

J-0 

CDS s cumulative debt servieing cost 

Present equivalent value of debt servicing cost PEVCDS(J) is calculated as 
follows: 


CDS (J) 


(1 + MARR (J) / 100) *0 


DEBTL 

2 pevcds U) 

J«0 


• CLP— This is the negative cash flow of lease payment, made for a defined period 
of time by a lessee airline operator to the lessor who is the actual owner of the 
equipment. All investment tax credits and depreciation are to the benefit of the 
lessor; therefore the lessee’s payments are treated as a pure expense item that is 
deducted from the gross income (or savings) generated by the leased equipment. 
Recall that savings and benefits have the same tax consequences as actual 
income. Because leases are not investments, competing lease schemes should 
not be ranked Using the investment criterion of EROI; Instead the present values 
of the various alternatives should be used for ranking. This would apply even for 
those alternatives that are not leases. 

Since CLP is deducted from income before taxes, it must be included as a term 
in XITAXP in ACES subroutine TAXCD, and its present equivalent value must be 
calculated using CUMPEX. 

For sitnplicity, only equal lease payments will be treated, and the value of 
purchase options will not be included, This simplification, however, corresponds 
to contemporary reality, in which variations on equal payments are seldom 
encountered. 

The following additional inputs are required; annual lease percentage (ALP) 
(default 12) and the final year of the lease (FlNL). While debt payments are 
made in arrears (i.e. after use of the money), lease payments are customarily 
made in advance. 


PEVCDS (J| 


PEVCDS » 


61 



The annual lease payment is o complex function of the lessor's cost of capital, 
the lessor's tax situation, the duration of the lease, the residual value of the 
equipment at lease end, and the requirements of lessor, lessee, and (frequently) 
the lender. In the 1979 business environment, a reasonable default value for a 
long-term lease will be ALP = 12 percent of the value of the leased Item's 
ICSUM. Other percentage values may be input at the option of the analyst. 

Lease payments in the Jth year are given by*. 

CLP(J) = ICSUM X APL/100 

where; 

ICSUM = all investments (also see debt servicing CDS) 

RAGE 

ICSUM " (iCAPiJ^ ICRS(J)’ ) 

J-0 

FINi. 

CLP * 2 CLP(J) 

J«0 

CLP cumulative lease payments 

Present equivalent values of lease payments are calculated as follows: 
PEVCLP(J) = CLP(J)/((1 + MARR(J))^*J) 

FINL 

PEVCLP - PEVCLP (J) 

J-0 

When lease is used in ACES, the input will be made in the same manner as for 
investments. After ICSUMhas been Used to calculate CLP, the investment costs 
and associated investment tax and depreciation allowance will be zeroed out. 

• TCE— Transportation costs for equipment are the costs for packing and shipping 

rotatables and components between stations and vendors. 

TCE s SC + PC 

where : 

TCE = transportation cost in 1979 dollars/shipment in the continental 



sc » shipping cost (air freight) /one-way shipment, $35. OO minimum 
plus $0. 4536/kg ($1. 00/lb) for excess weight over 15,88 kg 
(35 lb), In 1979 dollars 

PC = pocking and unpacking cost at 30 minutes for each operation 
($30.00, burdened 1979 dollars) 

The calculation of TCE requires a new subroutine in ACES, and packaged weight 
should be taken os component weight times 1,25. Component weight Is a user 
input. 

• TCP— Transportation costs for personnel are the costs of flying mechanics to and 

from stations requiring support and are given by the expression: 

TOP (TEHC X RSFT) + (TSHC x TST) 

where: 

TCP s cost per round trip, 1980 dollars 

TFHC = charter flight cost per hour multiplied by jet-to-charter 
flight speed ratio of 4 
s 400 (in 1980 dollars) 

RSFT = round trip jet scheduled flight time in h-^^urs 

TSHC = transportation standby cost in dollars/hour 
= 20 (in 1980 dollars) 

TST = transportation standby time in hours 
5.3.4 Tax Adjustments 

Tax adjustfnents (TA) that apply to fault-tolerant flight control systems may consist 
of three tax entities as shown below. The following paragraphs describe ITC, TDA, 
and INC. 

TA = ITC + TDA + INC 

For airlines that are not in a position to take advantage of tax credits because of 
inadequate income, a new provision is required for ACES to eliminaw all tax adjust- 
ments. Selecting the alternative to a lease (sec. 5.2.3, CLP) eliminates ITC and TDA. 

ITC— Investment tax credit for airplanes and capitalized equipment (except 
buildings) procured between January 25, 1975 and January 1, 1981, a U.S. credit 
of 10 percent of the basis value may be deducted from tax that would otherwise 
be paid. The 1978 Congressional tax bill makes the 10 percent ITC permanent for 
laBl (and on) subject to the limitations detailed with the formula for ITC. The ITC 
can be derived from the formula: 

ITC = ITF X (ICAP + ICRS + ICGS + ICST + ICTM + OTHER) 

where: 

ITF = investment tax credit factor (0.1 from Jan. 25, 1975) 


63 



ICAP, ICRS, ICGS, ICST, ICRE, and ICTM are defined under investment costs (sec. 
5.3.2). The amount of investment tax credit that can be claimed is limited to $25,000 
+ 60 percent of tax in excess of $25,000 during 1979, and the percentage increases 
each year as shown below: 

• 1979--60 percent 

• 1980—70 percent 

• 1981—80 percent 

• 1982—90 percent 

The assumption is made that sufficient tax is paid to take advantage of all credits as 
they occur except for the two new options detailed under TA above. 

TDA— Tax Depreciation Allowance— Under Advanced Revision Procedure 76-37 (IRS- 
1690 )( 22 )j air transport equipment used in commercial and contract carrying of 
passengers and freight may be depreciated in as little as 9.5 years for equipment 
purchased after April 15, 1976. For design study purposes, a tax depreciation life of 
10 years will be used. Each yearns depreciation may be treated as an expense that is 
deductible from pretax income. Since corporate tax on U.S. income consists of 46 
percent Federal taxes plus approximately 2 percent State taxes, the tax depreciation 
allowance is equivalent to a 48-percent credit of each year's depreciation. For design 
studies, tax depreciation allowance is calculated from the formula; 

TDA = TDF x 0.48 x (ICAP + ICRS + ICGS + ICST + ICTM + OTHER) 

where the tax depreciation factor, TDF, is obtained from Table 13 and ICAP, etc., can 
be obtained from preceding definitions under IC (investment cost). 

For those airlines unable to take advantage of the fastest allowable depreciation 
because of tax carryovers or anticipated losses, provision will be made for the user to 
provide his own values for Table 13 for up to 15 years. Note that Table 13 depreciates 
equipment to a zero residual value and any cash received on retirement will be taxed 
as regular income. 


Table 13. Tax Depreciation Schedule 


Year 

Tax depreciation factor 

1 

0.2000 

2 

0.1600 

3 

ai422 

4 

0.1244 

5 

ai067 

6 

0.0889 

7 

0.0711 

8 

0.0533 

9 

0.0356 

10 

0.0178 


Note: With double deci ining balence and 

switch to sum of the years' digits 
in the third year. 


64 




Note also that ordinary and necessary expenditures paid or incurred during the year for 
repairs to depreciable property are allowable expenses and are deductible for the 
currc<’ t year. Expenditures during the year that substantially prolong the life of the 
property, or that increase its value or adapt it to a different use, are ordinarily 
classified as capital expenditures and are recovered through annual depreciation 
deductions over the useful Ufe of the property. For example, after 50,000 flight hours 
an airplane undergoes a major structural overhaul that extends its life for another 
30,000 hours. The depreciated value of the airplane then would be increased by the 
cost of the work and treated as an investment under ICAP* 

INC—Federal and State income taxes for design studies are at 48 percent of gross 
income less allowable expenses. It may be assumed that all costs included in OC (sec. 
5.3.23 are allowable. Therefore, by subtracting allowable expenses before calculating 
income tax, the impact of operating costs is reduced and can be treated as a credit on 
costs and a debit on benefits. ACES requires no change. 

5.3.5 Retirement Costs and Credits 

Equipment retirement may be planned to take place at the end of its useful life, or it 
may be premature as a result of obsolescence or failure. Both costs and income may 
result from retirement. Standard accounting practice assumes that net salvage 
receipts at the end of the planned life (RAGE) will be lU percent of the original 
equipment price after all retirement expenses have been paid. However, further work 
is required to check the validity of the 10 percent assumption, and it is clearly 
inappropriate to use it for equipment prematurely surplused before obsolescence or 
wearout. 

NRC—Net retirement credit may be estimated from the formula: 

NRC = RS + RP 
where; 

RC = retirement net dollars/fleet in the year of retirement 

RS = retirement sales income, dollars/fleet for the year of retirement 

RP - retirement preparation cost for overhaul, refurbishing, and 
inspection, dollars/fleet in the year of occurrence 

If, at the time of retirement, the value of NRC exceeds the depreciated value used for 
depreciation tax credit, the net difference is taxed as a benefit. ACES does not have 
a subroutine to calculate NRC. 

5.3.6 Operating Benefits (OB) 

Positive cash flows produced by a given FTFCS are defined as operating benefits. 
Positive cash flows might be generated as a result of: 

• Increased payload for a specified range 

• Increased range for a specified payload 

• Increased passenger appeal (and demand) as a result of improved ride quality and 
dispatch reliability 


65 



l*rovislon wUl be made for the analyst to Input benefits of a o*; ; cif ic fault-tolerant 
system configuration into tlie CDDOM in units of dollars (of a specified year) per 
flight hour for fliglUs of a given length. In addition, the ratio of flight hour-to-f light 
cycle benefit must be specified so that a benefit per flight hour for flights of any 
length can be calculated. Thus, the assessment of benefits will be external to the 
CBDOM, at least until the proposed Phase 111 of this study, when consideration could 
be given to Incorporating features for evaluation of increased payload, range, and ride 
quality. 

Entitles that decrease costs, such as reduced weight, reduced drag, improved flight 
plan scheduling, reduced maintenance, or fewer delays, are normally included as 
operating costs (OC). 

5.3.7 Economic Risk Analysis 

For tile CBDOM, risk is defined os the probability tliat the ROl is less tiian the MARR. 

The ability to perform sensitivity analyses and risk analyses will be provided for the 
combination of the O&M simulation and the modified ACES economic analysis. The 
method entails two steps: 

Step 1— Running the CBDOM until the optimum FTFCS configuration has been identi- 
fied based on point estimates for user-supplied input. 

Step 2— Varying component reliability, repair time, and purchase price about their 
average value to produce probability distributions for ROI and after-tax disposable 
income. 

The above procedure might well produce the situation illustrated in Figure 15, where 
tiie configuration with the greotest ROI also has the greatest probability of being less 
than the MARK. The CBDOM user must make the final selection. 


• Configuration (1) • Configuration (2) 



66 


5.4 OPTIMIZATION 

Incorporating an optimization method is an essential feature of the model because of 
the number of design variables possible with FTFCS. 

5.4.1 The Optimization Problem 

The FTFCS simulation output can be viewed as a response function, whereby feasible 
input variable values are converted into output or response variable values. However, 
this function cannot be defined analytically due to the complex nature of the 
simulation. Very little is known about its mathematical form (i.e., the shape of the 
functional surface in multi-dimensional space). However, some general observations 
can be made. 

It is reasonable to infer that the functional relationship between FTFCS simulation 
output variables and input variables is both nonlinear and discontinuous. Consider any 
cost benefit measurement variables (outputs) that are optimization candidates, such as 
profit, ROI, risk (the probability of achieving less than the MARK), and payback point. 
According to the simulation, the cost benefit measurement variables are functions of 
configuration variables (inputs) such as labor, maintenance equipment, and FTFCS 
components; i.e., clocks, memories, processors, sensors, etc, Due to the complex 
nature of the sunulation logic, the explicit form of these functional relationships is 
unknown. The prudent a priori assumption is to expect the simulation response surface 
to be quite irregular; i.e., highly nonlinear. Moreover, many of the configuration 
variables can assume only integer values (e.g., the number of actuators, sensors, and 
computers in an FTFCS configuration). This means that the functional relation 
between simulation inputs and outputs is inherently discontinuous. 

The selection of an optimization procedure must be guided by these response surface 
characteristics. Success requires building carefully on a simple, robust optimization 
method that can provide results in a variety of simulation environments. As discussed 
in Section 5.4.3, the Nelder and Mead method appears to provide the required capabil- 
ity and is a point of departure for optimization methods development in Phase II. 

To solve for optimum FTFCS design parameters, the method minimizes or maximizes 
one cost benefit response function (such as profit) subject to constraints on the others 
(such as payback point or risk). The optimization is an iterative process, with the 
optimizer interrogating the simulator for performance estimates at revised values of 
the configuration variables. Figure 4 depicts the general optimization procedure. 

The ability of the optimizing procedure to effectively handle a discontinuous and 
nonlinear response surface is of little consequence, unless it has a credible response 
surface to explore. The issue of response surface credibility originates frotn two 
sources: the model variability and the model sensitivity or conditioning. 

The issue of model variability is inherent to the type of simulation model. The 
CBDOM is a stochastic or Monte Carlo simulation, meaning that model outputs 
depend, in part, on the outcome of probabilistic phenomena simulated by the model 
logic. Consequently, for any fixed set of model input assumptions, a range of resultant 
values is possible for each cost benefit measurement variable (output). 

For clarification, consider that faults to FTFCS components occur within the model as 
the result of a sampling from specified probability distributions. Total system 
operating cost, and thus profit, depend on FTFCS component failures. Therefore, in 


67 



statistical parlance, total system cost is a random variable since it is a function of 
FTFCS component failure, which is itself a random variable. This means that total 
system operating cost for a series of equal time increments (such as a series of yearly 
observations) will not be equal, even though all input values are initialized to identical 
values at the start of each simulated year. At issue here is the question of which 
output value, from the realm of possibilities, to use for defining the response surface 
which will be optimized. The answer is provided by running the CBDOM a number of 
times under identical input assumptions and using the seque^:ice of resultant values to 
estimate the "expected” value of each cost benefit measurement variable; e.g., 
expected total system operating cost. The estimated "expected" value is computed by 
means of a statistical average. 

Tiie issue of response surface credibility due to the inherent model variability concerns 
tlie number of observations that must be taken for each fixed-input scenario to obtain 
a credible estimate of each cost benefit measurement variable's expected value. The 
intent of this discussion is not to explore solutions to this question, which is largely 
influenced by two current unknowns: the cost per computer run and the magnitude of 
variation in the observed output values. Rather, it is to stress that confidence in a 
computed optimal solution to the CBDOM is highly dependent on having a credible 
response surface for the optimizing procedure to explore, albeit discontinuous and 
nonlinear. Thus, it is important that the simulation represents the real world in 
sufficient detail to produce confidence in its validity, since the model may subsequent- 
ly be used for experiments that the real world would be unwilling to perform. 

5.4.2 Response Surface Conditioning 

The kind of model instability in parametric analyses that might impact the optimi- 
zation can be illustrated with a simple example. Suppose the model calculates a value 
for a performance measure y = f(x) for any value x of an input design variable. For 
example, y could be a cost benefit measure for FTFCS designs and x could be the 
number of computer memory units used in a design. Further, suppose that the proce- 
dure for calculating y = f(x) values incorporates a major branch in the logical pathway 
through the calculations. An example of this would be the choice of paths in the 
computational flow of the repair shop model. For each value of x input to the model, 
the computations proceed to a certain point. At this point, the simulation program 
logic must decide which of two computational paths it must follow to complete the 
calculation of f(x). The choice of which paths (Aj or A2? for example) to follow may 
strongly affect the outcome of the simulation and, thus, the calculated f(x) value. 

Let the path designation be represented by the logical variable A, which takes on the 
value Ai or A 2 depending on the computational path to be followed. Since this choice 
is a function of the input variable x, A can be represented by a functional relationship 
A = g(x), where g(x) ranges over the two values Ai and A 2 . The question arises: How 
systematic is this variation between Aj and A 2 as x varies over its allowed range of 
values of, say, 1 to 10? Since g(x) is assumed to have a large effect on f(x) and the 
overall parametric relationship y = f(x) is to be explored ex post facto by the 
optimization method, then, hopefully, g(x) varies between its two values in a well- 
behaved, systematic way. 

Suppose Path Aj tends to produce high f(x) values and Path A 2 tends to produce low 
f(x) values. A potentially good situation is for the choice g(x) = A 2 to occur over some 
small range of consecutive values of x (say, x = 3, 4, and 5) and for g(x) A^ to occur 
for all other values (in this case, x = 1, 2, 6, 7, 8, 9, and 10). This would be ideal (and 
probably lucky) if the effects of all the other logic in the simulation correlated 


68 


ORIGINAL PAGE IS 
OF POOR QUALITY 


positively with the effect that the g(x) choice had on f(x). In this case, a systematic 
overall variation is attained, with f(x) varying through uniformly high values for x = 1 
and 2, then through high values again for x = 6, 7, 8, 9, and 10. This is illustrated in 
Figures 16 and 17. 


Cost benefit 
effects of X 



X 


Figure 16. Separate Effects of g (x) and h (x) 


Cost benefit 
effects of X 



X 


Figure 1 7. Combined Effects of f (x) =g (x) + h (x) 


Figure 16 illustrates the two hypothetical effects mentioned. The g(x) effect on f(x) is 
represented by two horizontal lines corresponding to the differing magnitudes of f(x) 
values that tne paths Ai and A 2 tend to produce. The actual dependence relationship 
of f(x) on A = g(x) will actually be quite complicated, and the figure merely illustrates 
the overall effect on magnitudes. For example, the horizontal lines could represent 
the average f(x) value resulting from the corresponding choice. The effect of all other 
logic paths through computations independent of A are grouped together into the h(x) 
curve shown. The f(x) value at each x is a function of the g(x) effect together with the 
h(x) value, and a hypothetical "resultant” curve for y = f(x) is shown in Figure 17. In 
this example, the g(x) and h(x) effects are positively correlated, and the composite 
relationship in Figure 17 appears systematic (regardless of the large jumps in f(x)) 
thanks to the systematic behavior of g(x). 

In practice, not one, but several, design variables xj, X2, X 3 , etc. are to be varied 
simultaneously in a parametric study that may involve more than one dependent output 
variable fi(xx, X 2 , xg, . , .), f 2 (xi, X 2 , X3, . . .), etc. Furthermore, the logic, including 
Pathways Aj and A 2 , may be rerun many times in a Monte Carlo fashion to produce an 
expectation value for f(x), and this value is to be optimized. This means that the 
anticipation of ill effects, such as nonsystematic behavior of an effect like g(x), can, 
in general, be difficult and may be prohibitive. The point is that these phenomena 
must be controlled as much as possible during design of the simulation model. 

Consideration of the parametric effects during the simulation model design and testing 
phases will contribute valuable insights to help produce a reliable model. Over- 
emphasis on isolated design-point simulation objectives can result in a model that 
contains computational instabilities. Parametrically, these instabilities appear as 
erratic behavior when input parameters such as x are exercised over some range of 
values. 

The operation of the parameter optimization procedure on the computer is illustrated 
in Figure 18. The complexity of the simulation logic indicates that a fully automatic 
optimization may not be possible and is probably not desirable for the envisioned 
simulator model. Each simulation at a single design point will produce a great deal of 
information other than the performance function values f(x). Engineering screening 
analysis of these data may be necessary to judge the quality of the simulation and may 
be helpful in running the optimization program. For example, it may be desirable to 
use inanual screening to eliminate infeasible or poorly performing designs, thereby 
perhaps augmenting the optimization method. 

The optimization procedure on the computer is illustrated in Figure 18 as an inter- 
active process alternating between the simulation and optimization programs to carry 
out the iterative optimization toward a solution. The output from each simulation is 
screened manually, then transmitted to the optimization program via a shared data 
base. The optimization program then computes a candidate design point to be eval- 
uated by the simulator in the next iteration. With manual screening of the simulator 
output and interactive transmission of data between the two programs, it may be 
useful to have the optimization program provide a list of more than one candidate 
design. The engineering analyst then can select the design most likely to succeed from 
an engineering standpoint. Thus, the optimization program carries out the routine 
computations and serves as an aid to economical engineering. 

5.4.3 Simplex 

The nonlinear simplex minimization method advanced by Spendley et al.^i-^) and 
modified by Nelder and Mead(13) jg xhe baseline optimization model for this analysis. 


70 


ORIGINAL PAGE IS 
OF POOR QUALITY 


Simulation and 



economic analysis 


Optimization 



Further investigation will add to this model or replace it if the model structure reveals 
a better method. Simplex is illustrated by the flow diagram in Figure 19 and the 
Figure 20 illustration that shows its search pattern options in a configuration space of 
two dimensions. The method illustrated in these figures is meant for optimization 
over a configuration space where the independent configuration design variables X can 
take on real values and are not restricted to integer values. Thus, it will have to be 
modified somewhat. 

A simplex is a polygon having the fewest number n "i' 1 of vertices in n-dimensional 
space. In two dimensions, it is a triangle and in three dimensions, it is a tetrahedron. 
Function values f(X) can be found for each of the n + 1 vertices by evaluating f at each 
of the corresponding sets of configuration variables. Linear interpolation or 
extrapolation is a valid procedure in a configuration space region containing the 
current simplex, because the vertices provide just enough sample points to fit a linear 
model in the n variables X. The nonlinear simplex method uses what is, perhaps, the 
safest strategy in difficult minimization problems. This strategy is to reflect a vertex 
X having the maximum function value f = f(X) through the centroid X of the opposite 
face of the current simplex. Should the new vertex X*, obtained by reflection, have a 
lower function value f*, it could be retained to form a new simplex. Thus, an undesir- 
able vertex is discarded and a new simplex is formed by using the other n vertices 
(which also were used to define the centroid X) together with the new vertex. This is 
the basic simplex search step. 


71 





















of'p^3 

OF POOR QUALITY 


• RtjHwtion ittp 



’‘h 


* 


• Contraction ttap 

X** */3z+(1-^)x' 


• Expaniion (top 
x** * (1 - 7 )* +'yx* 



** 


z -Xhforfh>f* 
? -x*forf*>ff, 



X2"^ X '2 



Figure 20. Basic Simplex Operations 

The method goes on to the various other options (see fig. 19 and 20)—expansion, 
contraction, or shrinkage-depending on how the value i* compares with f and the 
other n f-values. However, the imposition of constraints and the requirement that the 
search steps use only vertices from the n-dimensional grid where the X variables take 
on integer values will bring about further modifications. 

5.4.4 Application of Simplex 

Stability and adaptability are important when selecting a simplex as a baseline optimi- 
zation method. The simplex is stable in that, to a large degree, it responds well to 
difficult problems that have badly conditioned variables. It is adaptable in that it 
responds relatively well to having its basic unconstrained search pattern modified; 
e.g., to obey constraints on the solution variables. It is felt that this adaptability 
extends to restricting its search to a grid in configuration space where the configura- 
tion variables Xi, X 2 , X 3 , . . . (e.g., Xi = number of processors, X 2 = number of 
memories, X 3 = number of clocks, . . .) can have only non-negative integer values (see 
fig. 21 ). 


73 



ORIGINAL PAGE IS 
OF POOR QUAtrTY 



Sumose there are n configuration variables X and they each have m possible values. 
IropttniSn, (minimum, maximum) value tor the objeetj^ funot^n f Xj 

“S'n ’ lu Tlul 7n* eon'oowawe gTpo nts “eprefenting combinations of 
integral X values would have to be sear^^^^^^^^ to bVevS the 

meters having, for example, m- 4 V Hp<jifrn Doints clearly an astronomical 

p!e\7 W?vriuI;?ons7a the'^ program, clearly an improve, nent over the 

astronomical 4^®. 

The important point for an optimization problem like this is that 

makeS'fa'^go^d ffirfoi^^oble^t^^^ ^"L^zation algorithms to 

fail outright. 

Thppe is still one cautionary point; no algorithm exists for finding a global optimum in 
the general nonlinear optimization problem (except sir.iple enumeration of m va ue‘ 


74 


in the grid search mentioned above). Thus, simplex is (like all known iterative 
mctliodsO really a local search method. Unless the optimization problem is known to 
be convex, there may well be local optima, and the presence of constraints makes this 
doubly likely. Again, exploring the problem structure by further analyzing the 
simulation model may help to guarantee a global optimum. Currently, it is thought 
possible that local optima will have to be accepted, depending on how much computer 
run time can be allotted to exploring the possible different local optima in the searach 
for a global solution. 

5.4.5 Sensitivity Analysis 

Locating isolated optima may not be as important in FTFCS configuration exploration 
as determining the overall parametric behavior of cost benefit functions over the 
space of configuration variables. Simplex has logical extensions to aid in exploring 
parametric trends around an optimum. For a good discussion of the siffnificance of 
simplex and the types of anolysis it makes possible, see Spendley et al.t^<). The final 
form of a sensitivity analysis for FTFCS parametric studies will be closely tied to the 
results of optimization methods development. 


75 



6.0 AIRLINE REVIEW 


During this studyi United and Delta Airlines reviewed the preliminary drafts of the 
Cost and Benefit Design Optimization Model (CBDOM) requirements and specification 
and provided a number of comments and suggestions. Most of these comments are now 
reflected in this document; the comments not incorporated in preceding sections 
express concerns that are answered below. Airline comments are shown in quotation 
marks. 

6.1 DELTA AIRLINES' REVIEW 

The CBDOM concepts were reviewed by four members of Delta's Engineering 
Performance and Analysis Group, who critiqued the model as follows; 

1. "The scope of the economic model, like the cost/benefit optimization model in 
toto, is ambitious in trying to represent accurately the real world. The economic 
modeling procedures appear to be both accurate and sufficient. If the underlying 
assumptions for much of the input were not so subjective by nature, the model 
could be excellent. However, that subjectiveness and the current lack of 
documentation for such factors as risk and inflation make the modeling highly 
susceptible to distortion." 

Answer: It is agreed that factors such as inflation can significantly bias 

operating costs and affect the optimization results, particularly for design 
features that can be made either capital- or labor-intensive. None of the 
econometric models, which might be used as a source for inflation rates, have 
performed satisfactorily in recent years. For instance, in 1978, Chasev23) 
predicted a 1979 Comsumer Price Index increase of 6.4 percent, which was in 
error by a factor of two. About the best that can be done is to use different 
Inflation rate assumptions and use "judgment" to select one of the optimized 
configurations that result. 

2. "Methods of financing do not appear to be relevant to the decision criterion." 

Answer: Different methods of financing affect the tax credits that can be 
claimed, as well as cash flow timing. Like inflation, they can perturb the 
optimized design by changing the present equivalent ratio of capital- and labor- 
dependent cash flows. Apart from their possibly important influence, little 
additional complexity results from including debt and lease funding as analyst 
options. 

3. "Cancellation penalty should be defined. Substantiation is required for chart 
showing 'passengers lost through cancellation (Appendix XI)'. A delay would 
incur definable cost quantities such as additional fuel burn and crew pay time, 
but these would likely be masked by subjective factors of lost passenger revenue 
and goodwill. Frankly, obtaining a consensus within a single airline on tlie 
appropriate economic penalty would be remote, much less within the industry. 
Further, there can be a benefit to a flight delay, for whatever reason, which 
accommodates connecting passengers who might otherwise have missed a flight; 
if the cost of a delay/cancellation is to be considered by Boeing, then this 
tradeoff should also be explored." 

Answer; Appendix XI now provides details of the current method of calculating 
both delay and cancellation costs. An updating of the delay and cancellation 
cost method has been suggested as a Phase II project (sec. 7.4) and would include 
an assessment of passengers gained as well as lost. 

76 



4. *'CAB cost reporting ciitcrla sliould bo Iho bosoUne with capability for the user 
to modify tlm input quickly and easily to reflect Its own operation, as for 
aircraft life, residual value." 

Answers CAB Form 41 cost entities are not conveniently defined for design 
optimization purposes. For instance, delay costs, as defined in this document, 
consist of costs that would be reported in several CAB Form 41 accounts. Spares 
holding cost, which is important for design Optimization, is lost in CAB accounts 
for Burden. It would be possible, for airline convenience, to reformat cost 
entities in the CBDOM to look more like CAB Form 41 entities, and such a task 
could be reconsidered for Phase ill work. 

6.2 UNITED AIRLINES' REVIEW 

The United reviev/ team consisted of the Director of Maintenance Analysis and 
representatives of the Controller's Office and Maintenance Engineering. Comments 
from United not incorporated elsewhere in this document are as follows: 

1. "The overall cost analysis shown in Appendix IX is acceptable for illustration 
purposes only. It has at least two problems that need treatment before such an 
analysis carries a persuasive impact: 

a. The selling point of the Fault Tolerant project is the rate of return on 
investment, as covered in Appendix IX. The problem with the exhibited 
analysis is that it is a fractional approach. Our experience is that when 
only a part of a program is considered it is difficult to keep costs and 
savings synchronized. Also, frequently savings in one part may accompany 
added costs in another. The acknowledgement of this fact is made in the 
comments of Appendix IX, and perhaps the final package will be accept- 
able. However, to emphasize our point, when benefits or costs are being 
used relating to Fuel/Weight ratios, Delay/Cancellations, airplane insur- 
ance, and these factors are the principal areas of economic value, one is 
always suspicious as to whether he would agree with the method of appor- 
tioning the costs and savings. We would certainly want to see a total 
analysis." 

Answer: Appendix IX was intended as an example of the type of economic 
analysis intended for the CBDOM and contains many approximations and 
assumptions that will be eliminated by the CBDOM simulation. Concern 
over cost estimating relationships, also expressed by Delta Airlines in 
Sections 6.1, items 1 and 3, should be alleviated by the work proposed in 
Section 7.4 for delays and cancellations. Developing cost-estimating 
relationships for fuel burned is a simple task by comparison with that for 
delays. Errors incurred by using fuel costs from Table S might be 
eliminated by more detailed methods of performance analysis, possibly in 
the proposed Phase III of this study. 


b. "Frequently when basic changes in unit reliability are made the removal 
rate undergoes a change, but not as great as was anticipated . , ..I would 
like to see some test cases performed before a commitment is made to 
accept results of this model." 

Answer: Considerable emphasis will be placed upon model validation in the 
Phase II study. Economic sensitivity to errors in reliability prediction also 
will be possible (sec. 5.3.6). 


77 


2. ’’The use of 'present equivalent value' as the basis for economic comparison 
alternatives is a valid procedure and should give adequate results in this 
particular model. The various parameters of the economic evaluation program 
used in the model are comprehensive and reasonable, as far as we can determine. 
Overhead costs and the application of overhead rates to direct labor dollars are 
acceptable to United. However, the use of a standard 25 percent inventory 
carrying cost would not be acceptable to United for other than as illustration of 
method— as in the model description." 

Answer; The spares holding cost detailed in Section 5.3.3 under SH was based 
upon a survey of domestic airlines made by the Contractor in 1975, for which all 
responses except one were in the range of 22 to 25 percent. Confirmation of this 
result could be considered as a Phase II or III task of this study. 

3. "This is an ambitious project, considering the level of detail that will be 
modeled. Hopefully the cost of computer run time can be held to a level that 
would permit use of the model by the airlines. If the program is to be transport- 
able to airline, airframe, avionic manufacturers, exotic extensions to FORTRAN 
should be avoided." 

Answer; The economic analysis routine and optimization routine are modifica- 
tions of existing FORTRAN programs. However, development of an operations 
and maintenance simulation with adequate detail would be an almost impossible 
task in FORTRAN. SIMSCRIPT, the language chosen for the simulation, permits 
structured, well documented programs to be written. In addition, it has been the 
intent to specify a simulation model that can be tailored to most airline 
environments without programming changes. 


7.0 PHASE U 


7.1 PHASE n OBJECTIVES 

The requested objectives for Phase II were as follows: 

’’This pliase will refine the model requirements and specifications to reflect 
current knowledge and experience. Data required, but not available, will be 
collected. A computer program implementing the model specifications will be 
generated and validated using information on current conventional flight control 
systems in accordance with Exhibit B. (Exhibit B is Langley Research Center's 
Computer Programming and Documentation Specification, October 7, 1976.) 
Tliese and perhaps additional computer runs will be structured to provide a 
preliminary sensitivity analysis." 

The work performed during Phase I of this study does not indicate any change to the 
objectives of Phase II, except that Exhibit D calls for the use of FORTRAN. The 
programming effort will be substantially reduced by using SIMSCRIPT (which is also 
available to NASA Langley). SIMSCRIPT is, therefore, tlie recommended programming 
language for Phase II. 

7.2 PHASE U, FTFCS OPERATION AND MAINTENANCE SIMULATION 

The primary concern for Phase II is the unknown cost of running a computer simulation 
of fault-tolerant flight control system (FTFCS) operation and maintenance. While tho 
SIMSCRIPT simulations produced in Phase I were inexpensive in terms of computer 
time, this may not be the case for the comprehensive Phase II simulation that is 
initially required for validation. A secondary concern is the impossibility of 
optimizing FTFCS packaging without applying constraints to the possible packaging 
combinations. This secondary concern also arises from the cost of repeatedly running 
the computer simulation for FTFCS packaging alternatives. 

With these two concerns in mind, the first task for Phase II is to program and validate 
the O&M simulation so that its running cost can be established. Sections 7.2.1, 7.2.2, 
7.2.3, and 7.2.4 provide details of the proposed work. 

7.2.1 Computer System Design (Simulation and Economic Analysis) 

• Develop system data flow diagrams for the new and existing computer programs 
required for the model. 

• Produ^' prograinstructure definitions and hierarchical input, process, and output 
charts. 

• Develop a model test plan. 

7.2.2 Computer Program Design 

• Produce a data dictionary and program psuedocode for new and changed 
programs. 

• Design input and output formats. 

• Define the range of variables and program diagnostics. 


79 



e Code and document the program. ? 

• Develop a test data stream for model testing. 

7.2.3 Program Testing 

• Exercise each module of the model over the range of each variable and compare i 

tile result with the expected output. , 4 

• Check the sequencing, control, and data transfer to and from each module of the 
model and trace events and processes in the simulation. 

7.2.4 First Model Validation 

• Using data collected on contracts NAS1-15588(24) g^d -13654(25)^ show that the 
model produces dispatch reliability, investment, and operating costs that agree 
with one airline's B747 actuals. Validation inputs shall consist of route structure, 
itinerary, fleet size, and resource quantities such as mechanics, test equipment, 
and spares. 

• Analyze discrepancies and modify the requirements, specification, and program O 

as necessary. 

7.3 OPTIMIZATION 

The nonlinear simplex method developed by Nelder and Mead^^^) pe the baseline 
method for optimization. A FORTRAN program already exists for Nelder and Mead O 

optimization. However, the optimization of such FTFCS features as packaging may 
well require development of a method of imposing constraints to reduce the number of 
configurations that require evaluation (and simulation). In addition, the very discrete 
nature of variables, such as quantity of test equipment, entails the use of integer value 
vertices from a multidimensional grid instead of the continuous variables normally 
used with the Nelder and Mead method. The proposed Phase II work to develop an 1 

optimization routine for the Cost and Benefit Design Optimization Model (CBDOM) 
that handles integer, constrained problems is provided in Sections 7.3.1 through 7.3.3. 

7.3,1 Exploratory Studies 

• Examine bounds, range and types of variables, possible constraints, and methods 
of restructuring the CBDOM to simplify the optimization. 

• In parallel with system and computer program design, modify and test the 
effectiveness of the optimization method using a limited portion of the CBDOM 
consisting of the repair shop simulation and ACES provisioning routine. 

• Investigate and document potential techniques for reducing simulation variance 
and select an appropriate method for the CBDOM. 

• When the CBDOM sensitivity studies have been completed, reassess the 
effectiveness of the optimization method used and recommend justifiable 
improvements. 



80 


7.3.2 Final Programming 


Provide details required for documentation of the finalized design as specified in 
Sections 7.2.1, 7.2.2, and 7.2.3, 

7.3.3 Second Model Validation 

Using the validation case(s) from Section 7.2.4, perform an optimization and check the 
results for validity with airline personnel. 

7.4 DATA COLLECTION AND ANALYSIS 

Much of the data required for model validation has been collected as part of NASA 
Contract NASl-15588v25). Additional data are required to determine avionic repair 
shop work load and to obtain a better resolution of the cost of delays and cancella- 
tions. It also is possible that additional data might be needed if differences occur 
during model validation. 

7.4.1 Delay and Cancellation Data Collection 

• Obtain data on the number of passengers lost or gained as a result of delays and 
cancellations and determine the correlation with delay length, time of day, type 
of flight (business or discretionary), station traffic density, and station type (hub, 
through stop or satellite). 

• Determine the extent of the disruption in schedules following a cancellation and 
method of recovery. 

(Depending upon the success of the Phase II model, further work on less tangible 
aspects of delay and cancellation costs might be accomplished as part of Phase III.) 

7.4.2 Repair Shop Data 

Obtain avionic and hydraulic repair shop statistics for model validation. 

7.4.3 Retirement Costs and Credits 

Obtain data on the retirement costs and credits for flight control or other relevant 
equipment that is surplused as a result of design improvements. 

7.5 PRELIMINARY SENSITIVITY STUDY 

• Determine the effect on airline profit of independently changing design control- 
lable input parameters using the validation case input data as a baseline. 

• Perform a B747 WLA Cost Benefit Analysis and compare these results with 
previous estimates. Modify the requirements, program, and specification as 
necessary. 

7.6 MODEL IMPLEMENTATION 

Install, test and demonstrate the CBDOM program on Langley Research Center’s 
Cyber, CDC-6000 series computers. 


81 


8.0 REFERENCES 


1* SIFT; Design and Analysis of a Fault-tolerant Computer for Aircraft Control, 
Wensley, et al. Proceedings of the IEEE, vol. 66, no. .1.0, October 1978. 

2. FTMP: A Highly Reliable Fault-tolerant Multiprocessor for Aircraft, Hopkins, 
et al. Proceedings of the IEEE, vol. 66, no. 10, October 1978. 

3. CARE m Phase I Preliminary Report, NASl-15072, April 20, 1979. 

4. Airborne Advanced Reconfigurable Computer System (ARCS), B. E. Bjurman, 
et al. NASA CR-145024, August 1976. 

5. Criteria for Approval of Category Ilia Landing Weather Minima. FAA Advisory 
Circular 120-28B, Department of Transportation, December 1, 1977. 

6. Criteria for Approving Category I and Category II Minima for FAR 121 
Operators. FAA Advisory Circular 120-29, Change 3, December 3, 1974. 

7. GOALS, a General Operations and Logistics Simulation, vol. 1, J. H. Keeney. 
Boeing Document D162-10155, December 31, 1969. 

8. MOVES, a Marine Operational V/STOL Environment Simulation, W. Henke. ESA- 
332, Naval Weapons Engineering Support Activity. 

9. Preliminary Analysis of Long-Range Aircraft Designs, NASA TM X-73, 131; 
Nelms, Murphy, Barlow, June 1976. 

10. Vehicle Design Evaluation Program, B. H. Oman, NASA CR-145070, January 
1977. 

11. A Maintenance Model for K-oUt-of-N Subsystems Aboard a Fleet of Advanced 
Commercial Aircraft, D. R. Miller. Grant NSG 1338 Technical Memorandum TM- 
66502, November 30, 1977. 

12. Sequential Application of Simplex Designs in Optimization and Evolutionary 
Operation, W. Spendley, G. R. Hext, and F. R. Himsworth. Techometrics, vol. 4, 
pp 441-461, November 1962. 

13. A Simplex Method for Function Minimization. Computer Journal, vol. 7, pp 308- 
313, Nelder and Mead. 

14. Assessment of the Application of Advanced Technologies to Subsonic CTOL 
Transport Aircraft, NASA CR-112242, April 1973. 

15. Official Airline Guides Data Tapes (published twice monthly), Dunn and 
Bradstreet, 2000 Clearwater Drive, Oakbrook, Illinois 60521. 

16. International Airline Crew Scheduling Model, A. P. Zob, AGIFORS Crew 
Management Symposium, Washington, D.C., April 30, 1979. 

17. Spare Parts Kits at Minimum Cost, G. Black, F. Proschan, Tech Memo EDL-M- 
154, NTIS/AD255316, April 12, 1959. 




0 




# 


t- 






82 


18. Air Transport Association Inventory Planning Manual (revised June 1, 1976). 

19. A Scientific Routine for Stock Control, R. H. Wilson. Harvard Business Review 
XIII, 1934-1935 

20. Civil Aeronautics Board Form 41. 

21. Delay and Cancellation Cost Analysis Technique, J. Rose. Boeing Document D6- 
40895-1 Revision B. 

22. Advanced Revision Procedure 76-37, IRS-1690, Internal Revenue Service. 

23. Chase Economic Forecast, Chase Economic Associates, Inc., 1978. 

24. B-747 Flight Control System Maintenance and Reliability Data Base for Cost 
Effectiveness Tradeoff Studies, R. H. Edwards. NASACR-159275, August 1980. 

25. Flight Control Electronics Reliability and Maintainability Study, W. W. Dade, 
et al. NASA CR-145271, December 1977. 


83 



APPENDIX I 


LETTER-CHECK DEFINITIONS 

The description of the work content associated with letter checks has been included to 
explain the scenario for accomplishing FTFCS maintenance and inspection at 
opportunities that occur for the rest of the airplane. The checks at which scheduled 
and unscheduled maintenance may occur are PF, AF, T-check, A-check, B-check, and 
C-check, and are defined as follows: 

PREFLIGHT CHECK (PF) 

A preflight check is accomplished by the flight crew prior to departure using a 
preflight checklist. 

AFTER FLIGHT (AF) 

Crew debriefing occurs at each station with maintenance resources, immediately after 
flight, and consists of the administration time for establishing the work to be 
accomplished on failures that are visible to the crew since the last debriefing. 

T-CHECK (TRANSIT) 

Transit checks include: 

• Nonroutine maintenance, chronic items, deferred work, and special callouts 

• Visual check from the ground of the fuselage, empennage, wings, and engines for 
obvious damage or irregularities 

• Check of tire pressure and tire wear if not previously accomplished on the same 
calendar day 

• Check of fire extinguisher discharge discs 
A-CHECK 

A-checks include all transit checks plus: 

• Check oil levels and service if required 

• Check brake wear and change if required 

• Check oxygen and replenish as necessary 

• Check and clean static vents 

B-CHECK 

A B-check consists of all work accomplished during a T-check and A-check and, in 
addition, contains the following: 

• Check of engine and APU inlets, guide vanes, compressor, chip detectors, 
tailpipe interior, and thrust reverser. Inspection for cracks, damage or other 
irregularities 

• Cheek of interior for obvious irregularities 

• Check oxygen system 

• Detailed check of landing gear and brakes 


• Check of interior for obvious irregularities 

• Check oxygen system 

• Detailed check of landing gear and brakes 

• Check emergency lights, pneumatic and fuel shutoff valves 

• Check for fuel and oil leaks 

• Remove and check filters 

• Check INS battery charger 

• Check VOR/ILS calibration 

• Voice recorder audio check 

• Flight recorder tape readout check 

• Lubricate controls ' ' 

Some of the above items are not included in every B-check. 

C-CHECK 

C-checks provide time in the hangar for accomplishing all types of maintenance. Ten 
C-checks will encompass every kind of planned, scheduled maintenance. 



APPENDIX II 

AIRLINE COST ESTIMATION SYSTEM (ACES) 


The Airline Cost Estimation System is a system of programs for determining the costs 
to on airline of owning and operating parts, assemblies, or subsystems on airplanes. It 
is a tool for designers of airplane equipment to compare the airline life-cycle costs of 
design alternatives, 

The systjem takes os input; 

• Co$t and reliability data of parts comprising the design alternatives 

• Time frame of the fleet operation 

• Airplane and fleet operating characteristics 

• Airline operational and economic parameters 

• Financial climate during the fleet operating period 

Output of the results of a typical analysis is shown in Figures B-1 and B-2. 

Figure B-1 is the summary of costs for one design alternative. (The numbers in 
parentheses refer to the circles in the figures.) 

(1) Selected input parameters 

(2) Investments (ite miz ed) 

(3) Operating costs (itemized) 

(4) Retirement costs 

(5) Tax adjustments 

(6) Total cost of ownership 

Figure B-2 shows the results of comparing the costs for nine design alternatives; 

(7) Baseline alternative that has the minimum investment 

(8) Sum of the present equivalent values of the total yearly costs 

(9) Sum of the present equivalent values of the total yearly investments 

(10) Extra return on investment (EROI) relative to the baseline alternative 

(11) Payback years for alternatives costing less than the baseline 

Other outputs of cost results that are not shown in Figures B-1 and B-2 include, for 
each design alternative, a yearly itemization of; 

• Total costs (both tabular and graphical) 

• Investments 

• Operating costs 

• Retirement costs 

• Investment tax credits 

• Tax allowance for depreciation 

Outputs comparing cumulative cash flows and cumulative present equivalent values of 
total costs of each design alternative with the baseline alternative are available in 
tabular and graphical forms. 

The system programs ore designed to be used with the GDC standard operating system, 
specifically the Network Operating System (NOS>, They were developed using the 
Boeing GDC 6600 and GYBER computers. The programs may be used interactively 
from remote keyboard terminals, 


IM 


owgimm- woe w 

OF POOR QOALtTf 


Input data may be assembled by the user on forms provided. Output is printed at the 
user's terminal immediately after input is completed. 





OCSICti TOTAL 

COST OF OWNERSHIP SUMMARY 


• 

PROCRAH TCCOia 



VERSION COlSAi 



HUN DATE 03/0 I/7a 



ANALYST U J OHARE OP 

-27. AlOrtANE MODEL 

727 


INVCSTHENT ASSUMPTIONS FOR CASE VCN> 

r-vscr OF design vscf 

-VS-2C 

HASC YEAR TOH EQUIVALENT VALUE 

1977 



TAX RATE 


50.00 PER CENT 


INVESTMENT TAX CREDIT 

RATE 

10.00 PER CENT 


TAX DEPRECIATION LIFE 


10 YEARS 



USEFUL LIFE OF PROJECT 


19 years 



EQUIPMENT LIFE 


15 YEARS 



FLEET SI2C/YEAR 

3C 

. 30. 30. 

• • ■ 

30. 

INFLATION RATE/YCAR 

a. 

00 1.00 8. 

00 ... 

8.00 

MIN. ATTR. RATE OF RET 

./YEAR IS. 

00 15.00 15. 

)0 • ■ • 

15.00 

1 cost ANALYSIS - (SEC OC-42S7S FOR DC 

rXNItICNS) 






PCX 

PCX. AV. 

ENTITY 

CUMULATIVE 

CUN. PRESENT 

PC or 

DOLLARS/ 


CASH FLOW 

CQ. VAMPEX} 

IC'fOC 

FLT. HR. 

INVESTMENTS: 





AIRPLANE 

- 2 tuaas. 

-2818885. 

49.1 

-2.04 

^ ROIAOLE SPARES 

-2I90tl. 

>219081. 

3.1 

-.18 

EXPCNOABLC SPARES 

-57»29. 

T22284. 

.4 

-.02 

GROUND EQUIPMENT 

0. 

0. 

0.0 

0.00 

SPECIAL TOOLS 

>10000. 

-lOOCO. 

.2 

-.01 

■UILOINCS 

0. 

0. 

0.0 

0.00 

RAMP EQUIPMENT 

0. 

0. 

0.0 

0.00 

TRAINING EQUIPMENT 

0. 

‘ 0. 

0.0 

0.00 

MAINTENANCE MANUALS 

-17C05S. 

-178055. 

3.1 

-.13 

other 

0. 

0. 

0.0 

0.00 

^ OPERATING COSTS: 





MAINT/ iANCE LABOR 

-21Ui£. 

-79594. 

1.4 

-.08 

HAINTt NANCE MATERIAL 

-C9S142. 

-287I8S. 

4.7 

-.19 

maintenance BURDEN 

-852727. 

-328424. 

9.7 

-.24 

SPARES HOLDING 

-805021. 

-223153. 

3.9 

-.18 

maintenance TRAINING 

0. 

0. 

0.0 

0.00 

FUEL/NEICHT 

-3101314. 

-1172398. 

20.5 

-.■5 

oelays/cancellations 

-782338. 

-317272. 

5.5 

-.23 

AIRPLANE INSURANCE 

-211388. 

-94710. 

1.7 

-.07 

OTHER 

-17822. 

-8508. 

.1 

-.00 

"“'.^RETIREMENT COST: 





NET CREDIT 

0. 

0. 


0.00 

TAXATION: 





■«. INVEST. TAX CREDIT 

322200. 

322200. 


.21 

DEPRECIATION CREDIT 

1522973. 

1087798. 


.77 

INCOME TAX PAYMENTS 

0. 

0. 


0.00 

TOTAL 

-7091853. 

-8341887. 

100.0 



The table output providet details of actual cash and present equivalent value (PEX) 
of cash for various cost en tities 


Figure B-1 Example of Airline Cost Estimation System Output 

11-2 



ORIGiNAt 

OF POOR QUAUTY 



This example shows a cost of ownership comparison of a number of design alternatives for an electrical 
power generation system, Each case is compared to the case vi,'ith the least investment cost and a 
percent equivalent return on investment (EROM is calculated us an increment above or below a 15?o 
minimum attractive rate of return (MARR). 

Figure B-2 Example of Airline Cose Estimation System Output 
Two of the system programs may be executed alone. 

The Spares Provisioning Program yields costs and quantities of economically repairable 
spare parts and the probability of no stock-out during fleet operation. 

The Delays and Cancellations Program computes the cost elements associated with 
schedule interruptions caused by the parts comprising a design option. 

The User's Guide for the system contains instructions, input forms, examples, a sample 
run, and two complete airplane lists of economically repairable spares including cost 
and reliability data. 


11-3 


ORIGINAL PAGE IS 
OF POOR QUALITY 


APPENDIX m 

AIRLINE OPERATIONS AND MAINTENANCE MODEL AS3031 
PROGRAM DESCRIPTION 

The Airline Operations and Maintenance Model has been developed and successfully 
applied to several airlines for evaluating the effect of new or modified operational 
and/or maintenance concepts and/or equipment on the overall performance of the 
airline systems. The model simulates in detail the movements of up to three types of 
airplanes, as constrained by system geography, flight schedules, and operational and 
maintenance policies. The model can be readily modified to closely simulate many 
different airline systems. During a simulation run, the model generates statistical 
distributions on pertinent parameters such as service delay times at system stations, 
flight times between stations, and malfunction types. For each airplane type, the 
model is given the system failure rates, standard cumulative flight times between A, 
B, C, and D routine maintenance, personnel requirements for routine maintenance and 
for each subsystem malfunction repair, and mean repair times for each subsystem. To 
assure a close approach to reality, each simulation run is made for a simulated time 
period of 1, 2, or more years. System sensitivity to changes in operational and/or 
maintenance variables can be evaluated by a series of parametric simulation runs. For 
a given fleet, flight schedule configuration, and operational and maintenance policy, 
the model produces simulation results indicating airline operational performance in 
terms ofs 

• Mean flight departure delay times and distributions of delay times 

• Airplane substitutions for scheduled flights 

• Flight cancellations 

• Airplane utilizations 

• Maintenance personnel at each system station 

• Maintenance equipment at each system station 

PROGRAM APPLICATIONS 

The Airline Operations and Maintenance Model can be exercised in numerous ways to 
evaluate the impact of different levels of system reliability and maintainability under 
existing or proposed configurations of equipment, personnel, and policy. Basic model 
applications include the evaluation of; 

• Plight schedules 

f Maintenance policy 

• Maintenance logistics 

• Airline route analysis 

• Airplane type comparisons 

ROUTE/SCHEDULE STRUCTURES 

Alternative flight routes and schedules may be evaluated for the impact they have on 
dispatch reliability, flight deviations, airplane utilization, and maintenance personnel 
and equipment utilization. 

MAINTENANCE POLICY 

Scheduled maintenance policy, as embodied in the definition of tasks to be accomplisli- 
ed during routine A, B, C, or D checks of airplanes in the fleet, can have a significant 
effect on overall system reliability, maintainability, and profitability. Variations in 


III-l 


the task splits among the A, B, C, and D checks, or in the operational time periods 
between routine checks, can be tested In the model for impact on dispatch reliability. 

AIRUNE ROUTE ANALYSIS 

New routes, new schedules, additional airplanes, and additional maintenance personnel 
and equipment can be Integrated into the model to evaluate the impact on airplane 
utilization, availability, and maintenance resources. A series of simulation runs could 
supply information relating to optimal additional airplanes, maintenance personnel and 
equipment required, together with Improved flight schedules for the expanded system. 

AIRPLANE TYPE COMPARISON 

Comparison of the system-wide effectiveness of two or three different types of 
airplanes can be accomplished with the model. Two different airplane types, or a new 
third type with two existing types, can be "flown" over the same route structure with 
the same operational and maintenance policies to determine Impact on airplane 
utilization. The model effectively keeps separate statistics for each airplane type. 

MODEL INPUT, LOGIC, AND OUTPUT 

The model contains a preprocessor to allow for easy input of all data related to the 
airline operations. The model also is constructed in modular form to make 
modification of a given airline system easier, The modules are: 

• Airplane creation 

• Flight dispatching 

• Flight scheduling 

• Airplane operations 

• Scheduled/routine maintenance 

• Unscheduled/nonroutine maintenance 

Model logic is illustrated in flowchart form in Figures A3-1, A3-2, and A3-3. 
SCHEDULED MAINTENANCE 

If the airplane is not at the station where its next scheduled flight is to originate, 
nondeferrable malfunctions are processed and the airplane is deadheaded to the next 
flight origin, where routine maintenance, if necessary, is accomplished. If the airplane 
entering scheduled maintenance is at its next flight origin, routine maintenance work, 
if required at this time, is accomplished. At the same time, all nondeferrable, and 
"checks" malfunctions are processed as unscheduled maintenance. When all 
maintenance work is complete, the airplane is placed in immediate available status at 
the station. 

UNSCHEDULED MAINTENANCE 

Malfunction transactions entering this module are assigned to a subsystem that failed, 
based upon the class of malfunction and the airplane type. Engine failures at a line 
station with no engine replacement capabilities trigger the criterion for a ferry flight 
and are not processed. Normally, engine failures and other malfunctions are processed 
concurrently, unless maintenance personnel are in short supply at the time. Queueing 
statistics indicate such bottleneck areas, As all malfunctions from an airplane 
enter the module, the estimated longest repair time for any one malfunction is used to 
update the airplane availability time. After all malfunctions have been processed, the 
actual completion time is used to update airplane availability time. The ATA number 
of the malfunction requiring the longest work time is saved for the report (if it delays 

in-2 




























ORIGINAL PAGE IS 
OF POOR QUALITY 



Fi(ajREA3-2- AIRLINE OPERATIONS AND MAINTENANCE MODEL 

ROUTINE MAINTENANCE 








ORIGINAL PAGE IS 
OF POOR QUALITY 


i 


i: 

t 

I 



ru-5 


UNSCHEDULED MAINTENANCE 















the next fllglU). If on engine is replaced, the failed engine is overhauled and the 
overhauled engine is returned to storage at the station. 

VERIFICATION OF RESULTS 

The model is verified for a given airline system by Sirnulation of, and comparison to, 
actual airline operations. The collection of data on the system equipment and 
geography, system maintenance, and system operations required for such a verification 
run and subsequent experiments is facilitated by the structure of the model data 
matrices. The initial verification run detects possible errors in the original data 
roundup. Subsequent runs can test sensitivity of the system to changes in critical 
operational or maintenance parameters for comparison with actual system sensitivity 
data. Successful completion of the verification runs provides assurance that 
subsequent studies conducted with the model will be statistically significant. 


111-6 


APPENDIX IV 

AN EVALUATION OF THE MILLER MODEL 


The mathematical technique for evaluating the economic impact of new fault 
tolerant flight control designs developed by D. R. Miller in Ref. 1 has been 
reviewed. Although this review has indicated that definite conclusions of 
merit are premature, the modeling concepts in Miller's document appear 
potentially useful in several contexts and from several points of view. 

An evaluation of the quality of the Miller model is inhibited by the fact 
that, as the author suggests, it is only the initial result of a piece of 
ongoing research. Miller's method is presented in terms of two approximations 
that bound the solution to a mathematical abstraction of the real avionics 
system problem-* To ask the question then, if this approach is valid and 
useful is to question first of all if the approximations are valid (i.e, 
sufficiently accurate) in light of the abstraction and secondly whether 
the abstraction represents the essence of the true problem. 

No mathematical criteria now exist for evaluating the quality of Miller's 
approximations nor are such criteria likely. This makes the simulation of 
the mathematical abstraction now being conducted at NASA-LaRC particularly 
valuable. The second question is even more difficult to assess quantitatively 
unless the results of the LaRC simulation can be compared with the simulation 
of a higher level abstraction more closely representing the real world. Since 
defining this higher level abstraction is part of the problem of Phase 1 of 
this research with simulations to follow in Phase 2, it is somewhat early to 
anticipate quantitative evaluation of the merits of the Miller model. 

With this in mind then, the discussion that follows is primarily expository 
rather than a detailed review of merit or critique. 

The two constraining variables influencing the use of the Miller model are 
accuracy and size where accuracy must be discussed both in terms of the 
accuracy of the approximation and the extent to which the abstract model 
represents the essential features of the avionics system under consideration. 


IV- 1 


Early results of the LaRC simulation of the Miller abstraction s.ummarized in 
Ref, 2 seem to indicate that Miller's lower bound is a good measure of 
central tendency with regard to the number of groundings per day. At 50, 
the percentile rank of the approximation averaged over the 24 cases considered 
in Ref. 2 indicates a close approximation to both the mean and median number 
of groundings. With regard to incurred costs, the average percentile position 
of the approximation is 43, indicating that it is a less effective estimator 
of central tendency in this case but still a lower bound. The simulation also 
proves that Miller's upper bound is too high to be an effective measure for 
the cases considered. 

With respect to judging for accuracy or validity of an abstraction, any model 
of a real world system must be a compromise between model integrity and 
mathematical tractabil ity. This rule of thumb is unusually true in the 
present context in that the real world problem is very complex. Briefly, 
the real system problem includes the interactive effects of a large flight 
network with a diversified fleet, a detailed maintenance structure, and a 
complex, flight critical hardware system operating in a wide time frame that 
varies from mission lengths in the large to maintenance actions in the small. 
The compromise inherent in the Miller model seems highly effective. It 
appears to emphasize all of the important structural elements of the problem 
without sacrificing the intent of a mathematical solution. Structural 
differences between model and reality can be argued but numerical evaluation 
of these differences must wait until experience on the model's use and scope 
is available through simulation. Since, however, the current detailed study 
is based on these structural differences, a brief discussion of some of them 
is perhaps useful. 

It is difficult to argue that the Miller model does not include certain 
effects on variables thought to have influence on the answer. Indeed, he has 
been extremely successful in including some measure of most effects. Rather 
it is the total impact of large numbers of second order effects that will 
cause differences, if any, between Miller's and some higher order real world 
model. Some of these second order effects thought to have some economic 
impact are: 


IV-2 



a highly interactive airline network sharing a fleet of airplanes of 
different types and functions rather than a single route of one 
airplane type; 

a highly fluid maintenance operation capability that depends on many cost 
variables as well as demand,, rather than a highly stylited main maintenance 
base, three activity level, maintenance concept; 

the fault detection capability of the system including the avionics 
capability as well as ground based detection and the impact of ''false 
alarms"; 

"start-up" time effects and the effects of latent errors, which may cause 
differences from the assumptions on which Miller's steady state extrapola- 
tions are based; 

software repair and maintenance; 

the "other carrier" impact coming through shared spares pools; 

more complicated responses to emergency demand such as the possibility of 
borrowing from nearby aircraft, restocking other stages at the same time, etc.; 

broader avionics structural definitions than k-out-of-n decoupled stages 
in series; 

stricter and more extensive cost accounting, less cost averaging; 

more complicated interaction between demand and spares pools levels. 

The impact of the size constraint is more difficult to determine. Experience 
in the past suggests that a straightforward state count that yields astronomical 
levels even for such simple systems as the example described in Miller's paper, 



is not always a valid measure. In a practical situation with real constraints, 
the state count is often far less than a simple count of all combinations of 
working and failed equipment levels. Miller suggests that it may be possible 
to utilize sparse matrix techniques in coding to increase the speed of computa- 
tion. Experience too, shows that real gains can be made utilizing these ideas. 
If the problem is too large to be coped with efficiently by any of these 
means, and size must be faced, the model could be used iteratively by varying 
the number of aircraft in the fleet and spares in the pool, sequentially. 

These sequential solutions might then suggest numerical relationships that 
could be used to forecast the behavior of a larger system whose state count 
is beyond the feasible range. 


The accuracy of the lower bound approximation for the Miller model indicates 
that it could be useful in providing a first look at determining the size 
and cost of new systems if the state count constraint proves surmountable. 
Although a lower boundisnot as useful in determing costs as an upper bound, 
its potential for approximating system performance should not be overlooked. 

There are several other possible uses for the Miller model other than this 
strictly global role in assessing new systems. Some of these have already 
been suggested in Ref. 2. Perhaps the most important contribution of the 
simulation to date is in demonstrating that a simulation of the cost impact 
of fault tolerant avionics systems is feasible with respect to cost, 
computer requirements and the usefulness of the answers ft produces. An 
interesting second result of this simulation is that the random cost estimates 
across the replications at steady state have shown fairly pronounced variability. 
The ramifications of this information on the current study are twofold. At 
the very least it indicates that time probes Should be placed across the 
replications at regular intervals prior to steady state, to determine if this 
variability is indeed still present in the larger simulation, and, if so, 
the nature of its source. Also, it seems possible that this variability 


might be due to a drift away from nominal in some series before steady 
state. If this is the case, a more global measure of system performance 
might be more realistic to use as an optimization criteria than average 
cost 3t steady state. 

The simulation optimization currently under consideration may prove costly to 
run due to its size and complexity. Therefore any a priori information with 
regard to good operating levels of the variables for a given scenario, or to 
heuristic relationships between variables, could be an important factor in 
the speed of convergence of the optimization process. The Hiller model could 
be useful in this capacity. That is, those operating levels and strategies 
that seem most optimal, i.e. least costly, in the Hiller sense, may provide 
an efficient initial operating level for the larger Phase I problem. 

During the course of developing his model. Miller makes several suggestions 
for approximations to the process that might prove fruitful as partial modeling 
devices for improving the efficiency of the large simulation. In particular, 
such ideas as uncoupling the stages, Poisson emergency demand statistically 
distributed over the route structure, use of steady state distributions for 
modeling parts of the process and uncoupling portions of the interaction of 
the demand and repair process could be incorporated into the simulation for 
efficiency if it could be shown that the displaced detail was unimportant. 

There appears to be only two methods of providing this proof. One, if 
possible, is to simulate portions of problem in great detail in order to 
demonstrate the validity of the approximation and another is to build the 
greater model, simulate it, and let feedback provide the numerical basis 
with which to approximate. Neither approach is contemplated for Phase I 
although both might be necessary if experience with the large simulation 
dictates improved efficiency. 

Miller's model could prove useful in extending short term simulation results 
to achieve a steady state answer. This will depend of course on the nature 
of the system's steady state. Since the impact of latent faults will be 


lV-5 


evaluated in the more detailed simulation, the cost effective solution might 
indicate that the system should operate with a gradually increasing failure 
rate rather than to incorporate very exhaustive testing for latents on a 
scheduled basis. If it could be shown that constant failure rate is a 
reasonable assumption, the Miller model might well provide sufficient 
insights into steady state behavior when based on short term results obtained 
from the detailed simulation. 

Although many questions remain as to the nature of the accuracy of Miller’s 
model, it should be applauded as a careful attempt to develop new methodology 
in a very difficult problem area where no other methodology now exists, As 
in any compromise dictated by the requirement of mathematical solvability 
it can be challenged on the grounds of realism and therefore must be validated. 
If validated it has the potential of offering a very satisfactory, less costly 
answer for many problems and might be particularly useful for gaining broad 
insight into the general operating levels of a particular system. Other than 
validation the only other constraint possibly inhibiting the usefulness of 
this technique is the combinatorial growth of state count as the system grows 
in size and complexity. 

Other uses of the Miller concepts have been explored that complement the 
detailed simulation optimization of the current study. Providing initial 
conditions to the simulation is one such possibility. Others that seem 
fruitful include replacing details of the simulation with his analytic models 
to improve efficiency and eKcrapolating a short term simulated history to 
steady state. Assessment must wait until the larger simulation is in production 
and tradeoffs can be evaluated. 


lV-6 


Refer*ences 


V. Miller, Douglas R. , A Maintenance for K-out-of-N Subsystems 
Aboard a Fleet of Advanced Coiivnercial Aircraft. Technical Memorandum 
Serial TM-66502, The George Washington University, Nov, 1977. 

2. Miller, Douglas R. , Further Results for a Maintenance Model for K-out- 
of^N Subsystems Aboard a Fleet of Advanced Commercial Aircraft, 
Technical Memorandum Serial TM-66545, The George Washington University, 
Sept. 1978. 


lV-7 


APPENDIX V 


KELZABILITY CONSIDERATIONS 

In surveying available reliability assessment packages tor 
analyzing digital fault -tolerant avionics it becones apparent 
that their evolution tracks the evolution of the fault-tolerant 
architectures they model. Though general purpose claims are 
often made, it is usually the case that the analysis is general 
purpose only within the generation of architectures they 
represent. Consequently the reliability packages that are 
available have a wide variety of capability and emphasis. In 
the following discussion a set of criteria describing the 
essential features of the assessment of foreseeable fault- 
tolerant avionics systems is developed and the most applicable 
of existing reliability programs are reviewed, relative to this 
norm. 

The coverage of the system, or the chances that it can be 
successfully reconfigured to a degraded state after a fault 
occurs, depends on the cUaility of the system to detect its own 
errors and to perform the necessary actions leading to continued 
operation. Thus with f ault -tolerance , reliability is a function 
of the system's capacity tor self diagnosis and self repair 
as well as the usual considerations of structure and redundancy 
management. These features imply two basic sources of system 
failure, one source coming from the depletion of eqtiipment 


V-1 



ORIGIHAU 
OF POOR 

lDe}.ow ccltical level?, the other due to lack ot coverage (the 
probability the system can be successfully reconfigured after 
a failure). Therefore the criteria for evaluating reliability 
assessment programs must reflect the structure of these two 
sources of failure as a function of the performance required 
of the Tiircraft during flight. 

A2,1 Criteria 

The following points form a set of criteria or capabilities 
that would be desirable features in a reliability assessment 
program. The list can be compromised in certain situations, 
but to model future systems as they are now envisioned, most 
are important. 

A2.1.1 System Features 

Any assessment program must be capable of determining the system 
reliability. NASA's goal is a probability of failure of no 
more than 10 in 10 hours. Since this is a fairly demanding 
goal, its execution requires a well considered mathematical 
technique that can produce numerical precision with reasonable 
efficiency. 

As a minimum the program should be sufficiently flexible to 
model the operational structure of the AKCS, SIFT, and FTMP 
architectures. This implies architectural structures having, 
among others, such features as triad operation singly or in 


PAGE IS 
quauty 


V-2 


O^^lGINAt PAGE IS 
OF POOR QUALITY 


patalleX, £Xexed sparing with dynamic allocation^ gracefful 
degradation! and a k out of n definition of equipment depletion. 
In addition, it would be desirable if the program included such 
structural effects as dependent stages, substructures which 
themselves are redundant or fault- tolerant, ordered failures, 
or complicated network relationships between stages* (Note, 
a stage is a set of like components at a level replaceable by 
spares carried either in the ground or in onboard inventory.) 

The result of this modeling would be an explicit or implicit 
definition of the degraded system states and states of system 
failure to be used as input to the analysis portion of the 
assessment program. 

Many traditional fault-tolerant systems have included spares 
as an integral part of the system design. There are three ways 
of modeling spares that have evolved! offline unpowered spares, 
online powered but passive spares, and online powered but active 
spares that are constantly flexed as part of the system so that 
knowledge of their working state is constantly updated. Both 
SIFT and FTMP at any instant of time have spare equipment of 
the latter, type. ARCS makes no provision for on-line spares. 

Since different demands are made on the system as a function 
of flinht phase, the reliability model should reflect these 
varying requirements. If phasing cannot be incorporated in 
the modeling, the reliability should be demonstrated for the 
entire mission at the equipment iev"l required for the most 
demanding phase. 

V-3 


A2.1.2 Coverage 


ORIGINAL PAGE IS 
OF POOR QUALITY 


Given that a fault has occurred, the ability of the system to 
respond and continue its defined task in a degraded state is 
measured by coverage- Two qxiite different types of coverage 
models now appear in the literature. One is concerned with 
single point failures from which the computer cannot recover 
due to either long time delays in the recovery strategy, or 
because the fault belongs to the class of nonrecoverable faults 
for that system. Such models frequently model coverage 
nonstochastically, at least with regard to the time frame of 
the system* s operation . 

The other type of coverage model assumes categorically that 
the system can recover from all single faults, but that fault 
simultaneity of certain types causes system failure. Fault 
simultaneity in this context can mean either two or more faults 
coexisting in a nonreconf igured state or, less conservatively, 
two or more in a detected but nonreconf igiured state. This model 
implies a stochastic model with emphasis on the vulnerable down 
period of the computer- Thus it is necessary to know not only 
vdiat type of errors the system can withstand but how many it 
can tolerate at one time. 

Failures in a fault-tolerant system can have two causes: 
permanent or transient, and be in several states reflecting 
the self diagnosis and self repair capacity of the computer. 
These are summarized below. 

V4 


nmciNAL PAGE 


Permanent faults can be in one of three states as a consequence 
of the Systems detection « isolation* and recovery (DIR) strategy* 
The period of time that a permanent fault remains latent is 
a function of the detectors used in verifying its presence* 
Therefore any model of the effects of this fault must reflect 
the speed and extent of the capabilities of these detectors* 

Every fault-tolerant computer has a built-in strategy for 
isolating a permanent fault once it has been detected. In as 
much as some systems use an error report to store information 
until a decision is possible, there is a potential delay in 
the response to the fault in this period. Models of this effect 
should at least be responsive to the strategies planned for 
the SIFT and FTMP systems. 


With their emphasis on the continuity of production, fault- 
tolerant systems are designed so that reconfiguration time is 
very small once a fault has been isolated. Nevertheless, during 
reconfiguration the system may be even more vulnerable than 
it was during xsolation. Therefore a fault in this state 
requires careful modeling based on an understanding of the 
processes involved and be flexible enough to respond to the 
design of a given system. Since the total vulnerable period 
due to both isolation and reconfiguration is likely to be very 
short it may be better to combine these effects into a single 
variable. This is particularly true in situations where there 
is insufficient information for modeling each in detail. 


V-S 


ORIGINAL PAGE 
OF POOR QUAUTY 


Methods ot modeling transient faults are not yet well understood* 
Despite this deficiency the assessment model should be 
sufficiently general to include more detail on this fault 
condition as information becomes available. The usual method 
is to assume that transient failures are independent with 
constant fai3.ure and duration rates. *niere are several possible 
difficulties with this approach. There is some evidence that 
transients may at times have a spatial impact inducing correlated 
response among faults. Another possxbility is that failure 
rates might be component dependent in the sense that not all 
components in a stage would have the same inclination to display 
transient behavior. This means that the failure rate^ though 
constant for a given component, might vary from component to 
component in a random fashion with some parts displaying a 
stronger tendency toward repeated transient behavior and others 
less so. Also, some designers envision an elaborate recovery 
mechanism for a transient, while others argue that the 
differences in response to transients, once detected, are no 
different than to permanent faults. 

The designers of the FTMP have stated that the system can recover 
from all single point failures , most double failures but no 
triple or higher order failures that exist simultaneously in 
an unrecovered state. A similar statement is made by the SIFT 
architects. Thus programs that define system failure in this 
way have stochastic coverage models with features that are 
different from single point coverage models. Some of the desired 
features of such models are given below. 


V-6 



ORIGINAL PAGE m 
OF POOR QUALITY 

Coverage is defined in terms of simultaneous equipment failures 
during the period of isolation and recovery from the triggering 
detected fault. Since the chances of simultaneity increases 
(with a corresponding decrease in coverage) whenever latent 
faults are included in the modeling, the requirement for latent 
fault modeling is substantial for coverage models of this type. 

The definition of systein failure in terms of simultaneous events 
implies that the coverage model is a function of the amount 
of available equipment at the time of failure. A possible 
consequence of this assumption is that the system may reach 
a point where increasing redundancy decreases reliability. 

When coverage is a function of the available equipment, a serious 
effort must be made to identify the set of equipment types whose 
simultaneous failure will be cause for concern. For some systems 
this mutual dependence of equipment will only extend within 
a stage. For other systems, in particular the FTMP, it will 
be extensive, and cross -couple equipment across stages. 

A2.2 Program Review 

Five reliability assessment prc>grams have been reviewed for 
their suitability in r,ieeting the criteria established in the 
previous section. Other programs exist tor assessing the 
reliability of fault-tolerajit computer systems that are not 
reviewed here. Tne analysis of such systems has grown so in 
sophistication during the last few years, particularly with 
regard to coverage, and many of the traditional reliability 

V*7 



OWGINAU 
OF POOR 

assessment programs no longer pertinent. The f^v«? programs 

or technlgues are the reliability analyses for the prototype 
systems SIFT (ret. 1) and FTMP (ref. 2) , and the general programs 
ARIES (ref. 3, .4, 5), CARSRA (ref. 6) and CARE II (ref, 7). 

CARE III, under development at Raytheon, is also a viable 
assessment program candidate but its features are not Vrell 
defined at this time. Also, the basic assumptions of CAST (ref. 
8) , another assessment program, have been for the most part 
incorporated into ARIES which obtains a solution with far more 
efficiency, obviating the need for a separate review of the 
CAST program. The features of each of the five programs that 
are relevant to the outlined criteria are sumnarized in Tables 
I and II. The FTMP and SIFT assessment models were developed 
specifically for their individiial architectures and since they 
do not exist as general purpose programs, they cannot be judged 
accordingly. 

The five programs can be partitioned by the type of structure 
analyzed and the incorporated coverage model. The models for 
SIFT and FTMP contain a stochastic, simultaneous failure model 
of coverage.; CARE II, CARSRA, and ARIES treat coverage 
nonstochasticly euphasizing recovery from single point faxlures. 
CARE II conteuLns a separate coverage model vdiich develops the 
mathematical interaction ot the characteristics of the detectors 
used in sensing a fault by introducing the concept of competing 
detectors on fault classes. This analysis is then coupled with 
a model of the consequences on reconfiguration of time delays 
in the isolation and recovery strategies which determines the 


pMiZ IS 
QUAUTV 


V-8 


ORIGINAL PAGE IS 
OF POOR QUALITY 


TABLE I 



STRUCTURE 

UIUJ 

Q 

Sg 

FAULT TYPES 

MATHEMATICAL MODEL 

I 

! 

1 

1 

1 

UJ 

a, 

p: 

SPARES 


1 

HO. OF 

RECOVERY 

STAGES 


MODEL 

SOLUTION 

rtiip 

PARALLEL 
IMS K OUT 
OF II 

H STAGES 

ON LINE 

COnSTAlJT 

FLEXING 

1 

STOCHASTIC 


1 

X 

MARKOV 

AND 

COMBINATORIAL 

SEPARATE MODELS 
SUMMED FAILURE RATES 
NUMERICAL INTEGRATION 

SIFT 

K OUT OF N 

INTEGRATED 


STOCHASTIC 

mm 

1 

X 

HARKOV 

NUMERICAL 



M STAGES 




Hi 




INTEGRATION 

A 

f 

CARE n 

Z MODE 

ACTIVE i 

■ 





COMBINED STATE 

NUMERICAL 



K STAGES 

STANDBY 


Pii! iSn 




TIME DEPENDENT 

INTEGRATION 

■f 




■ 


IDii 


X 

MARKOV 



ARIES 

STAGES 

ACTIVE t 

■ 

NON- 



INCLUDES 

MARKOV 

MATRIX METHODS 



IN SERIES 

STANDBY 


stochastic 



RECOVERY 


BASED ON 



K OUT OF N 


■ 


■i 


MODEL 


EIGENVALUES 


CARSRA 

GENERAL 

ON LINE 

■I 

NON- 










1 

STOCHASTIC 

■ 


X 

MARKOV 

MATRIX METHODS 



X • INCLUDED FEATUiiE 


































































ORIGINAL PAGE IS 
OF POOR QUALITY 


overall coverage parameters tor the system under consideration. 
These parameters then feed the CARE ZI assessment program in 
much the same way as do similar parameters in ARIES and CARSRA 
where the parameters come in simply as constants with which 
to mcLke parametric studies. 

The stochastic coverage model of the FTMP is more elaborate 
than for SIFT. The FTMP model includes a careful analysis of 
all potential simultaneous double failures that can cause system 
failure plus all higher order simoltaneitles. This cross>couples 
the entire system in a manner similar to that described In the 
previous section on stochastic coverage models. The SIFT model 
does not cross -couple across stages and is not as complete in 
its analysis of double failures, but in other considerations 
is quxte similar to the FTMP assessment. 

With regard to structure the FIMP, SIFT, and ARIES programs 
basically model a k out of n gracefully degrading structure 
with soioe differences in spares utilization. The SIFT program 
is the closest to a true k out of n model and does not identify 
spares as such. The FTMP identifies spares but because of 
constant flexing through reidentitication of the spare as an 
active unit, the model only admits to spares per se in its 
definition of failure modes. ARIES contains a spares model 
that includes botli acrxve and passive spare failiure rates as 
well as two separate coverage parameters. 


V-10 



The X out of n structure for ARIES is imposed at the subsystem 
level and the system itself is assumed to be a serial connection 
of these subsystems. Thus system reliability is calculated 
by talcing the product of the subsystem reliabilities obtained 
from ARIES. The PTMP model is really several models vrtjose 
failure rates are added. One of these models represents system 
failure due to equipment degradation in the same way as ARIES. 

The FTMP coverage model, however, couples the entire system. 

CARE IX includes a X out of n gracefully degrading system that 
emphasizes a mode change when equipment levels degrade 
sufficiently. The model allows for a complete redefinition 
of system operation at this mode change. The time of mode 
change is triggered by the first subsystem or stage that degrades 
to this level and hence all stages are coupled. CARE IX includes 
the option of powered or unpowered spares with two separate 
failure rates. 

The structure model in CARSRA is the most versatile of the five. 
Though the final product is a serial connection of independent 
subsystems, the subsystems can have dependencies between 
components that may be complicated Boolean structures. It is 
even possible to model ordered failure relationships in CARSRA. 
Once the serial subsystems, the structtural relationships within 
the subsystem, and the transition rates cure defined, CARSRA 
produces a solution to the corresponding MarXov state model. 


V-11 


All ot the models base their analysis on tinite state# constant 
rate, continuous time Markov processes and soiye the resultant 
system o£ differential equatioiis with matrix methods or numerical 
integration. All seem adequate for their intended purpose if 
the number of states does not become too large. 

The programs differ most completely in their treatment of the 
various error states. With the exception of CARE II and the 
latest version of the SIFT assessment, the remaining programs 
pay little attention to the possibility of faults in a latent 
state or the architecture's isolation stragegy. They concentrate 
almost exclusively on the reconfiguration speed so the system 
is conditioned on assumed knowledge ot the existence and location 
of the fault. The SIFT assessment allows faults to be in either 
latent, recovei^f^ or reconfigured states, and CARE II includes 
the elaborate fault analysis discussed previously. 

A2 . 3 Reconunendations 

Table I pinpoints two reasons why the evolution ot reliability 
assessment prograjtis of fault-tolerant systems is difficult; 
the wide variety of features thought to be pertinent in assessing 
these systems and the lack of agreement about which is the most 
important set. The most pronounced difference is with regard 
to the modeling of coverage which is also the primary contributor 
to system failure for the mission times under consideration. 

In particular, the assessment programs for the tiiree 
architectxires; ARCS, SIFT, and FTl-lP; display this difference 


V42 


in their modeling o£ coverage, although those tor $1F1* and ?7HP 
are relatively in agreement. Thus, in eit'ect, two separate 
coverage models are required to model these three systems. 

For the more traditional nonstochastic coverage model both 
CARSR/i and ARIES seem viable alternatives. CARSRA is the most 
versatile with respect to structure but is severely size limited 
while ARIES can handle more states. 

The assessment programs tor the SIFT and FTNP architectures 
provide the only stochastic models oi coverage. Since both 
now model the various Influences on system failure in temvs 
ot separate models, neither seem suitable as general purpose 
programs, which o£ course was not their intent. I^us, it is 
recommended that a single general purpose reliability assessment 
program be developed tiiat will incorporate a stochastic coverage 
model to evaluate the impact on system failure of "nearly 
simultaneous failuress" as well as the interaction of the four 
fault types; latent, detected but not isolated, isolated but 
not reconfigured, and transient. 

CARE III, now under development, may well provide this resource. 
If not, a straightforward Markov model of these effects seems 
quite feasible as large, pure death, Markov processes involving 
hundreds ot states can be solved quite cheaply using classical 
matrix methods for solving systems of differential equations. 
Though the pure death property is violated when transients are 


V-13 


included In the model, the deviations are slight and should 
not prove unsurmountable. 

A2.4 Sottware Reliability 

The area oi soitvrare reliability is in a State of great 
transition and although much is hypothesized regarding its 
nature, little is kxiown in terms of quantitative results. The 
subject is comparatively undeveloped partially because it has 
not seen the same degree of expenditure as that devoted to a 
similar exercise for hardware but also because it is very 
difficult to conceptualize. At present the bul)c of the resources 
are being spent on the development of methods for producing 
more reliable, more easily maintained software such as structured 
programming, program processing, and fault-tolerant software 
techniques utilxzing alternate algorithmns. To a lesser extent 
are programs being evaluated in terms of their failures and 
failure characteristics, which is a more difficult question. 

Its difficulty lies partially in the* impracticality of using 
standard exp^xmental techniques. 

There are three traditional metfiods for establishing the 
reliability of a device; mathematically modeling the dependence 
of the device on constituents of known reliability, building 
a computer simulation of the device, seeding it with typical 
errors and probing tor failures or gathering historical 
experience by introducing a copy or copies of the device to 

the working environment and recording the failures. The first 

V*14 


ot these is rarely viable in a sottware context in that 
establishing the reliability of constituents is a problem of 
the same magnitude as the original and their interdependence 
is often complicated. The second method too is difficult in 
that little is known or the structure and relative freguency 
of typical program errors relative to a given program. Thus 
simulation by conditioning on a Seeded "typical" error set is 
an interesting but extremely premature concept \intil more 
research has been conducted on predicting program failure modes. 
The third method otters some potential and is the method on • 
which most modeling to date has been 2;^^.ed. These models 
primarily assume an exponential time to failure with a decreasing 
failure rate that depends on the number of bugs remaining in 
the prograiiiu A recent review and evaluation of the more popular 
models (ref. 10) indicates that there is still more work 
necessary before predictii^g so£t.ware reliability is a reality. 

In time it is hoped that studies on how programs fail will also 
provide soiae information on features of the program which can 
be measured as predictors of failure probability or rate. 


V-IS 


REFERENCES 


1. Wens ley, John H.» et al, »* sipt ; Design and Analysis Fault- 
Tolerant Computer tor Aircratt Control," Proceedings gf the 
IEEE, Vox. 66, No. 10, October 1978. 

2. Hopkins, Albert L., "FTMP: A Highly Reliable Fault-TOlerant 

Multiprocessor for Aircraft,” Proceedings of the IEEE . 

Vol- 66, No. 10, October 1978. 

3. Ng, Y.W. and A. Avizienis, ”A Reliability Model for Gracefully 
Degrading and Repairable Fault-Tolerant Systems,” Digest of 

the Seventh International Symposium on Fault Tolerant Computing . 
Los Angeles, CA, pp 22-28, May 1977. 

4. Ng, y.W, and A. Avizienis, “ARIES - An Automated Reliability 
Estimation System,” proceedings 1977 Annual Reliability and 
Maintainability Symposium , Philadelphia, pp 108-113, 

January 1977- 

5. Ng# V.W. and A, Avizienis, "A Model for Transient and 
Permanent Fault -Recovery in Closed Fault-Tolerant Sys terns, •• 

Digest of the Sixth International Symposium on Fault - Tolerant 
Computing . Pittsburgh, PA, pp 182-188, June 1976. 

6. Bjurman, B.E., et al, ‘'Airborne Advanced Reconfigurable 
Computer System, ARCS," NASA CR-145024, August 1976. 

7. "An Engineering Treatise on the CARE II Dual Mode and 
Coverage Model,” NASA CK-144993, Raytheon Equipment 
Development Laboratory, April 1976, 

a. Cann, B.R., et al, "CAST - a Complementary Analytic - Simulation 
Technique for Modeling Complex, Fault Tolerant Computing Systems” 

V-16 


in AGARDD graph #224, Integrity in ^Xeotrohic Flight Control 
Systems « A6AKD - NATO Neuilly - Sur -- Soine, France, April 1977. 

9. Bellman$^ Kichard, introduction to Matrix Analysis . McGraw-Hill I960* 
10. Sukert, A.N., "A Multi-Project Comparison o£ Software Reliability 

Models/* irssss^ina. 9£ MM Conierence gu Computers iHi Aerospace . 
Los Angles, CA, October 1977, p 41i. 




V47 


APPENDIX VI 


Typical SIFT, FTMP and FTFCS Concepts 

This appendix provides a description of typical fault tolerant concepts 
as examples of the type of equipment the Cost and Benefit Design Optimi- 
zation Model should be capable of optimizing. 



1.0 INTRODUCTION 


The technological foundations for fault-tolerant flight control systems 
(FTFCS) have been laid and avionics are being built which can be used in 
advanced commercial aircraft. The impact of an FTFCS approach is being 
studied in terms of advanced navigation, stability augmentation, displays, 
and fly-by-wire (references 1 and 2). 

The purpose of this section is to provide overview descriptions of various 
candidate FTFCS architectures which have been studied in the development 
of the economic evaluation model. 

There are two principal candidate FTFCS architectures. The Software 
Implemented Fault-Tolerant (SIFT) system, designed by SRI International, is 
being built as an engineering prototype by the Bendix Corporation. The 
Fault-Tolerant Multiprocessor (FTMP), designed by Charles Stark Draper 
Laboratories, is being built for flight tests by Collins Radio, This report 
will contain discussions of each of the two principal systems and will 
contain discussions of some alternative approaches to fault-tolerance as 
well. It must be understood that only the first two have been designed 
specifically for flight control of commercial airplanes so the details of 
the other systems involve some internal guesswork with respect to costs, 
reliability, etc. The discussions of the alternative systems will be brief 
and will depend upon the concepts laid down in the descriptions of SIFT and 
FTMP. 

The descriptions of FTMP, SIFT, and the alternative fault-tolerant systems 
are intended to provide information to the reader not already acquainted 
with such fault-tolerant designs; it is not the intent that the following 
material should provide formal or entirely accurate system specifications. 

With that disclaimer, this discussion will now center on the principle 
subjects of comparison; SIFT and FTMP. This report will describe each system 
in terms of fault response and reconfiguration. Other details will be 
provided if they help describe the mechanisms of fault response and recon- 
figuration. 

Vl-2 



ORIGINAL PAGE IS 
OF POOR QUALITY 


1.1 SIFT and FTMP Comparison 

i. 1;;;. , • %■ .?«.'<»»■ -Ai.f. .«i. ■«. 

\ 

I 

SIFT and FTMP share many redundancy management concepts. An executive program 
in each system is responsible for the detection of faults as well as system 
reconfiguration. Both use triple modular redundancy (TMR) in order to detect 
faults and to mask the effect of the fault to subsequent processes. In this 
report, a fault is defined as an error in data caused by a malfunction of some 
system component. Masking is the act of covering a fault by choosing, by 
majority vote, a value to represent the set of redundant outputs (reference 3). 
SIPT and FTMP not only identify and mask hardware faults, they also locate 
and replace the faulty component with a healthy part as long as spares are 
available. Beyond locating their source, no attempt is made to determine the 
nature of the failures that produce faults. When spares are exhausted, both 
systems have an identified set of critical tasks which will remain active at 
the expense of some of the noncritical tasks. SIFT and FTMP are both multi- 
processors and must manage concurrent different tasks, as well as redundant 
tasks. 

T . 1 . 1 

Both SIFT and FTMP are designed to be extremely survivable, centrally located 
FTFCS computers capable of performing such life critical functions as active 
controls, total fly-bv-wire, and total system management. 

Specifically, both SIFT and FTMP are designed to meet the functional and 
reliability requirements of a flight control computer system. These require- 
ments are; 

• Reliability goal— less' than 10"^ probability of catastrophic failure 
during a 10-hour flight. 


Vl-3 



Fault coverage--all Independent permanent and transient 
hardware faults. 

Reliability approach— multiple processors use redundant 
computations to mask faults, diagnose malfunctioning 
processors, and to reconfigure or reallocate tasks. 
Computational throughput-an overall processor load of 
about 500,000 operations/second. 


ORIGINAL PAGE IS 
OF POOR QUALITY 


ORIGINAL PAGE IS 
OF POOR QUALITY 

2.0 SOFTWARE IMPLEMENTED FAULT -TOLERANCE (SIFT) 

As the name implies, SIFT is a fault-tolerant system where reliability results 
from software techniques rather than through hardware fault-tolerance and fault 
avoidance mechanisms (reference 4). That is, SIFT achieves fault-tolerance 
through its task allocation strategies and through voting mechanisms and error 
isolation mechanisms built into the operating system. 

2.1 SIFT Hardware 

The hardware architecture to support fault-tolerant operations in SIFT is 
remarkably simple. SIFT consists of up to eight processors (six, nominally) con- 
nected to each other by a broadcast interface. See figure 1. Each processor has its 
own local memory with a copy of every SIFT task. Each processor communicates 
serially with external sensors and actuators. Figure 2 depicts the processor 
interface for one SIFT module. 

There are no built in test devices, error correcting/detecting busses, 
component isolation devices, or other special equipment to enhance 
reliability or detect malfunctions. 

The SIFT processor is a stock Bendix BOX 930 designed primarily for avionic 
applications. The main memory contains 30 K, 16 bit words and contains 
both system and flight applications programs. A 1 K, 16 bit scratch pad or 
data file is used to store the temporary results produced by the processor's 
tools. A 1 K, 16 bit transaction file is used to control the configuration 
and destinations of task outputs. The external bus is a MIL-STD-1553A serial 
half duplex link. Each 1553A can support up to 32 remote terminals with 
associated actuators and sensors. The broad’ cast interface is simply a 
write-only area in every processor which any given processor can access. 

The destination write areas for each piece of information produced by SIFT 
is stored in the transaction file (reference 5). Each processor, memory, 
and 1533 bus occupies a standard 1/2 ATR short LRU. See figure 3 for a list 
of important characteristics of the SIFT LRU. 


VI-5 



SIFT REDUNDANCY VIEN 


OWGINAU 

OF POOR QUALITY 


SENSORS, SERVOS SENSORS, SERVOS 


SENSORS, SERVOS 


£ 

\ I/O BUS 

1553A 

k 

I/O BUS 


1 

1553A 

Ml 

PI 1 

M2 

P2 1 

• • 


ns PS PROCESSOR 


BROADCAST BUSSES 


FIGORE 1 


NODULE CONPLENENT (EACH PROCESSOR) 

NENORY 1 memory INTERFACE t CONTROL 
HEMORY 2 CENTRAL PROCESS^;, !IMIT 
POWER SUPPLY PROCESSOR INTERFACE 
TIMING CONTROL BROADCAST/RECEIVER 
1553A CONTROLLER 


SIFT - PROCESSOR COMMUNICATION via BROADCAST BUS 


MILSTD 1553 BUS SI 


PROC 2 - 
PROC 3 - 
PROC A - 
PROC 5 - 
PROC 6 - 



FIGURE, 2 


PROC 2 
PROC 3 
PROC 4 
PROC 5 
PROC 6 




ORIGINAL PAGE IS 
OF POOR QUALITY 


SIFT LRU CHARACTERISTICS 


LRU SIZE! 4,85 X 7.6 X 12.6 in. 

ENVIRONNENT! CABIN CONDITIONED 

POWER REQUIREMENTS! 28 V 1 w/BATTERV BACKUP 

ESTIMATED MTBF! 6500 HR, 

INTERCONNECTIONS! BROADCAST/WRITE ONLY 

INTERFACE TO ALL 5 OTHER PROCESSORS 
COST! $27,000 Q979 dollars) 

THROUGHPUT! 500 KOPS GIBSON MIX-RAW 

INPUTS! (mil STD 1553 EXTERNAL DATA BUS/1m HZ BPS/32 PORTS) 
OUTPUTS! (mil STD 1553 EXTERNAL DATA BUS/Im HZ BPS/32 PORTS) 
MINIMUM MO. OF THIS COMPONENT REQUIRED FOR SUCCESSFUL OPERATION! 4 
STANDARD NO, OF THIS COMPONENT AVAILABLE! 6 
MAXIMUM NO,: 8 


FIGURE 3 


2.2 SIFT Software 

The essential characteristic of SIFT is the ability to detect a fault in a 
processor module, A fault is detected by voting, and voting is performed 
on the outputs of applications or global executive tasks. Only manfunctions 
which cause a disparity among the voters will be detected. 

With a risk of oversimplifying some important steps, we will attempt to 
describe how and when this voting takes place and what results therefrom. 



ORIGINAL PAGE IS 
OF POOR QUAimr 


2.2.1 SIFT Scheduling 

In SIFT, tasks are scheduled periodically according to the priority strategy 
show in figure 4. To illustrate voting, some details of the scheduling 
process will be explained. The highest priority frames (approximately 20 ms) 
are divided into subframes (about 2 ms) with each task assigned to a specific 
subframe depending on its voting dependencies. Prior to scheduling a task, 
the executive gathers the task's input data from producing processors, votes 
that data, and then releases it to the task about to be scheduled. Lower 
priority tasks are voted similarly but are not dependent upon their scheduling 
sequence within their priority frame. They double buffer their outputs and 
use, as inputs, data produced during the previous time frame. Figure 5 shows 
this double buffering mechanism. Even with the high priority task scheduling, 
SIFT is designed to allow up to BOy^sec of skew between processors. 



Vl-8 


ORIGINAL PAGE IS 
OF POOR QUALITY 


THE DOUBLE BUFFERING MECHANISM 



2.2.2 SIFT Voting 

When an error is detected by voting, the error is masked and recorded in a 
processor error table. The offending processor, however, remains active 
until an error count threshhold is reached at which time the processor is 
declared faulty and its tasks are reallocated, as shown in figure 6. Figure 7 
contains a brief algorithmic description of the voting and masking process. 

2.2.3 SIFT Executive 

In a system of SIFT processors, no single processor has permanent or temporary 
hegemony. Each processor has its own local executive. A global executive also 
exists and is run as a triplicated periodic task. The local 


VI9 








ORIGINAL PAGE W 
OF POOR QUALITY 


RECONFICURABLE VOTING 


BEFORE FAULT 


AFTER FAULT 


TASK t 


TASK 2 FROCESSOR TASK 1 TASK 2 



FIGURE 6 


r 

I VOTIMG ALGORITHR TRANSLATION 


LOOK IN THE BUFFER AREA FOR EACH PROCESSOR AND 
DO THE FOLLONlNGi 

• LOOK FOR BUFFER ADDRESS OF DESIRED VALUE 

• IF BUFFER, OFFSET IS ACTIVE 

- THEN assign BUFFER TO SET 'W' 

' ELSE ASSIGN BUFFER TO SET 'V 

• READ VALUE AND CHECK FOR CONSENSUS 

• IF CONSENSUS EXISTS 
" THEN BEGIN 

IF VALUE - CONSENSUS VALUE 

- THEN ASSIGN BUFFER TO SET 'X' 

- ELSii ASSIGN BUFFER TO SET *Y' 

IF BUFFER 111 SET 'V 

- THEN BEGIN 

SET BUFFER VALUE TO CONSENSUS VALUE 

SET FLAG IN ERROR TABLE 

END 

END 

- ELSE FILL ALL BUFFER VALUES IN SET 'r NITH 'SAFE' 
VALUE 

FIVMIf 1 


VHO 



executive; 

«> Sclu^duled tasks 

•: Votes input data and reports errors 

• Handles task output buffers 

• Handles errors locally 
The global executive: 

• Monitors error tables to look for processors with 

permanent faults 

• Allocates tasks to processors 

• Handles reconfigurations due to changes 

in flight phase 

It can be seen from the above admittedly simplistic discussion of the SIFT 
fault-tolerant implementation, that no hardware mechanisms are used to detect 
faults or to manage the system reconfiguration. Thus the model definition 
of reconfigurable components turns out to be very simple. Essentially there 
is only one feconfigufable component - the processor. The processor is 
used for whatever tasks allocated to it by the global executive until a 
permanent fault is detected. In the event of a permanent fault, the 
processor's tasks are all allocated to other processors. The faulty 
processor is ignored by its fellow processors even though it may write 
information into their broad-cast interface. The SIFT design approach is 
not restricted to the BOX 930 computer system but could be used with other 
processors. 


2.3 SIFT System Degradation 

In a SIFT system, the amount of redundancy employed is dynamic and is a 
function of the criticality of a given task and the current state of the 
system. One Implication is that, in the presence of several successive 
failures, a SIFT could be gracefully degraded in steps from a system of 
several T.M.R. processing channels to a single nonredundant channel. 

However, the clock generator synchronization algorithm employed (see figures 
8 and 9) requires that at least four SIFT LRU's with four nonf ailed clocks 
be operational to ensure timing integrity. Thus, the number of failed LRU's 
that should be tolerated in a six processor SIFT is two. 


VMl 



SIFT CLOCK SCHEME 


THREE CLOCKS, (ONE CLOCK FAILED) 


CLOCK 'A' SEESj 

CLOCK 'A' 

MEDIAN CLOCK ■ CLOCK 'A' 

O 

CLOCK 'B' 

O 

CLOCK 'C 

CLOCK 'C' SEES! 

CLOCK 'A' 

MEDIAN CLOCK - CLOCK 'C' 

© 
CLOCK 'B' 

o 

CLOCK 'C' 

IN THE CASE WHERE A CLOCK FAILS SUCH THAT IT CAUSES TWO GOOD CLOCKS 
TO 'SEE' IT DIFFERENTLY, THE MEDIAN CLOCK ALGORITHM MAY FAIL AND THE 
GOOD CLOCKS MAY DIVERGE, 

ncgwE 8 


SIFT CLOCK SCHEME 

FOUR CLOCKS (ONE CLOCK FAILED) 

CLOCK 'A' SEES: 

CLK 'A' CLK 'B' 

MEDIAN CLOCK - CLOCK 'C' 

O 

CLK 'C' 

0 
CLK 'D' 

CLOCK 'C' SEES) 

CLK 'A' CLK 'B' 

MEDIAN CLOCK » CLOCK 'C' 

O 

CLK 'C' 

0 
CLK 'D' 

CLOCK 'D' SEES: 

CLK 'A' CLK 'B' 

MEDIAN CLOCK - CLOCK 'C' 

O 

CLK 'C' 

0 
CLK 'D' 

HERE, EACH CLOCK TAKES A MAJORITY VOTE OF THE VALUES 'SEEN' FOR A GIVEN CLOCK BY ALL 
OTHER CLOCKS, 

IF NO SUCH MAJORITY EXISTS, THEN A VALUE OF 'NIL' IS GIVEN TO THE PARTICULAR CLOCK, 
THUS, DIFFERING READINGS OF ONE FAILED CLOCK DO NOT DESTROY THE MEDIAN ALGORITHM, 



VI-12 





3.0 


FAULT>TOLERANT MULTIPROCESSOR (FTMP) 


The FTMP is a fault-tolerant system where reliability results from hardware 
fault-tolerance and fault avoidance mechanisms along with software 
implemented component reconfiguration mechanisms built into the operating 
systems (Reference 8), 

The FTMP operates from a system view as a highly reliable three-processor 
multiprocessor consisting of an independent processor/cache-memory for each 
channel*, all three communicate, via serial bus lines, with a single three 
page mass memory and several task dedicated I/O ports. This multiprocessor 
viewpoint is shown In Figure 10 The fault-tolerance of FTMP comes from 
the fact that TMR Is employed for each processor, each memory page, 
each data line, and each module's incoming clock signal. Hardware bit-by-bit 
voting is performed on all data transfers and all sing^p errors are masked 
by taking a majority value (2 out of 3 vote). An executive program 
periodically searches the system for set error-latch registers, reconfigures 
the system (by reassigning bus-module associations) to pinpoint disruptive 
modules, and takes failed units off line, replacing them with spares. 

3.1 FTMP Hardware 


With the exception of bus lines, all components in the FTMP system are 
contained in ten identical LRU's. Each LRU contains; 

• One CPU/cache 

• One 16K main memory module 

• One Clock generator 

• One power supply 

• One t/0 port 

• Bus interfaces 

• Two bus controllers (BGU's) 

• Other hardware 

Of these, the CPU/cache, the main memory module, the clock, and the I/O 
port are fully reconfigurable. The LRU itself is not a reconfigurable part. 
Figure U shows the FTMP LRU main components. 


Vl-13 


0RK51NW. 

OF POOR 


FTMP - MULTIPROCESSOR VIEH 



HGURE iO 


FTHP - LRU MAIN COMPONENTS 


BGU - BUS GUARDIAN 
CPU - CENTRAL PROCESSOR 
C - CLOCK 


P - POLLING 

0 - OUTPUT 

1 - INPUT 





BUS 


fiiuRt U 


VM4 















Figures 12 through 16 contain important characteristics of the reconfigurable 
components of an FTMP, Characteristics are also supplied in figure for 
the FTMP LRU; since all components are contained within it, the LRU's 
characteristics provide references for many characteristics of the recon- 
figurable components. 

Each LRU contains its own power supply, which like the BGU's and the bus 
interface* is nonreconfigurable. All components within the LRU are supplied 
5 VOC by this power supply. The power supply itself draws 28 VDC from a 
quadruple redundant system-wide main power source. See figure 10. 

In addition to those components contained in the FTMP LRU, there are a total 
of 20 back-plane mounted bus li.ies divided into four different types: five 
'O' lines for processor to memory data transfers; five 'I' lines for memory 
to processor data transfer; five 'C lines for clock signal transfers; and 
five 'P' lines used for bus contention resolution. Each bus line has its 
own dedicated power supply. 


OBlGlNftV- PAGE IS 
OF POOR QOAUr^ 


Vl-15 


ORIGINAL PAGE IS 
OF POOR QUALITY 

PROCESSOR/CACHE 

• SIZE 

- DIMENSION: 8 - 1/2 ATR CARDS 

- WEIGHT; NA 

• ENVIRONMENT: SEE LRU 

• POWER REQUIREMENT 

- 5 VDC 

- SOURCE: LRU'S OWN POWER SUPPLY 

• PHYSICAL INTERCONNECTIONS 

- BUS LINES: SEE LRU 

- INTERFACE TO 

10 MEMORY MODULES 
10 I/O PORTS 
10 CLOCKS 

• RELIABILITY; MTBF = 20,000 HOURS 
COST« CARD COUNT 

• THROUGHPUT: 500 KOPS (GIBSON MIX) 

• INPUT: SEE LRU 

OUTPUT: SEE LRU 

• COMPLEMENT: 10 

• MINIMUM COMPLEMENT: 2 

FIGURE 12 


VM6 



ORIGINAL RAGE IS 
OF POOR QUALITY 

MEMORY MODULE 

• SIZE 

- DIMENSION: TWO 1/2 ATR CARDS 

- WEIGHT; DNA 

• ENVIRONMENT: SEE LRU 

• POWER REQUIREMENTS 

- 5 V.D.C. 

- SOURCE: LRU'S OWN POWER SUPPLY 

• PHYSICAL INTERCONNECTIONS 

- BUS LINES: SEE LRU 

- INTERFACE TO 10 PROCESSOR/EACH MODULES 

• RELIABILITY; NA (APPROX- 20.000 HOURS) 

• COST a CARD COUNT 

• THROUGHPUT; CYCLE TIME = NA 

• INPUT: NA 

• OUTPUT; NA 

• COMPLEMENT; 10 

• MINIMUM COMPLEMENT; 2 

figure 13 


Vi-17 



ORIGINAL PAGE IS 
OF POOR OUAUTV 

CLOCK 

• SIZE 

- DIMENSION: ONE-HALF 1/2 ATR BOARD 

- HEIGHT: NA 

• ENVIRONMENT: SEE LRU 

POWER REQUIREMENTS 

- 5 VDC 

- SOURCE: LRU'S OWN POWER SUPPLY 

• PHYSICAL INTERCONNECTIONS 

- INTERFACE TO ALL OTHER SYSTEM MODULES 
VIA 5 'C' BUS LINES 

• RELIABILITY: MTBF = 30,000 HOURS 

• COSTa CARD COUNT 

• THROUGHPUT i NA 

• INPUT; NA 

• OUTPUT: NA 

• COMPLEMENT: 10 

• MINIMUM COMPLEMENT: A 

FIGURE 14 


VI- 18 



ORIGINAL PAGE IS 
OF POOR QUALITY 


BUS LINE 

• SIZE: NA 

• ENVIRONMENT 

- COCKPIT 

- SYSTEM BACKPLANE 

• POWER REQUIREMENTS 

- 28 V.D.C. 

- SOURCE; OWN POWER SUPPLY 

• PHYSICAL INTERCONNECTIONS 

“ ALL TWENTY BUS LINES CONNECTED TO EACH 
LRU^S BUS INTERFACE 

• RELIABILITY: NA (DEPENDS ON POWER SUPPLY) 

• THROUGHPUT; NA 

• INPUT; 16 MHZ DATA RATE 

• OUTPUT; 16 MHZ DATA RATE 


• COMPLEMENT; 20 

• MINIMUM COMPLEMENT 
- LOGICAL MINIMUM 

5 'P' LINES 
3 '0' LINES 
3 'I' LINES 
A 'C' LINES 


FIGURE 15 


VH9 



ORIGINAL PAGE 
OF POOR QUALITY 

I/O PORT 

• SIZE 

- DIMENSIONS THREE 1/2 ATR CARDS 
-WEIGHT! NA 

• ENVIROHMENT! SEE LRU 

• POWER REQUIREMENTS 

- 5 VDC 

- SOURCE: LRU'S OWN POWER SUPPLY 

• PHYSICAL INTERCONNECTIONS 

- INTERNAL COMMUNICATION: SEE LRU (BUS LINES) 

- INTERFACE TO 

10 PROCESSOR/CACHE MODULES 
SENSORS AND ACTUATORS 

• RELIABILITY: MTBF - 30.000 HOURS 

• COSTocCARD COUNT 

• TRHOUGHTPUT: NA 

• INPUT 

- MIL STD 1.553 SIMPLEX 

- 8 MHZ DATA RATE 

• OUTPUT 

- MIL STD 1553 SIMPLEX 

- 8 MHZ DATA RATE 

• COMPLEMENTS 10 

• MINIMUM COMPLEMENT: 1 

FIGURE 16 


Vl-20 


ORIGINAL PAGE 13 
OF POOR QUALITY 


LRU 


• SIZE 

- DIMENSION: 1/2 ATR LONG STANDARD BOX CONTAINING 

21 1/2 ATR CARDS 

- WEIGHT: <10 LBS- 

• ENVIRONMENT: COCKPIT 

POWER REQUIREMENTS 

- 28 VDC/150 WATTS 

- FOUR LINES 

- SOURCE: AIRCRAFT GENERATORS; BATTERY BACKUP 

• PHYSICAL INTERCONNECTIONS 

- 20 BUS LINES 

* INTERFACE TO ALL NINE OTHER LRU's 
RELIABILITY: MTBF - 2000 HOURS 

• COST: $35,000 Q979 $'s) 

• THROUGHPUT; NA 
INPUTS 

- ONE I/O PORT 

- MIL STD 1553 EXTERNAL BUS 

• OUTPUTS 

- ONE I/O PORT 

- MIL STD 1553 EXTERNAL BUS 

• COMPLEMENT: 10 

• MINIMUM COMPLEMENT: A 

FIGURE 17 


Vl-21 



3.2 


FTMP Software 


While the fault detection and masking of FTMP are implemented by hardware 
devices, system configuration, reconfiguration, and task assignment are 
software implemented. 

3.2.1 FTMP Executive 

The executive program is responsible for maintaining the state of the system. 
This includes initialization of the system into the following configuration: 

• Three processor/cache triads 
(Nine of ten processors used) 

• Three main memory pages - each a triad. 

Page one contains system and applications 
programs and is written in non-volatile form 
(R.O.M.). Page two contains dynamic variables. 

Page three is not needed for fully configured 
operation. 

(Nine of ten processors used) 

• One clock quad. 

(Four of ten clocks used) 

• Several I/O ports - one per active task. 

Figure 18 shows a fully configured system; note that the presence of a failed 
module within an LRU does not affect the ability of other modules in that 
LRU to be configured into triads or quads. 

The module configuration explained above is accomplished by the assignment 
of the proper bus lines to active modules. 

3. 2.1.1 FTMP Bus Line Assignments 

A fully configured active bus network consists of: 

• One 'O' line triad - each member of a P/C triad 'talks' to 
main memory over one member of the current 'O' line triad. 


VI-22 



ORIGINAL PAGE IS 
OF POOR QUALITY 


FTHP REDUNDANCY VIEW 




m 


p/c 


CLK 


I/O PORTS 


Z3 

n 


1 


■ 

Z2 

■ 


1 


1 


■ 


1 


1 

i 


■I 


■ 


m 


m 


m 


m 


m 


M 


■ 

8$ 


A1 


A2 


01 H 


HA3 


B3 


02 


0 




HC3 


03 H 


HB2 


qnH 


Cl 


Q 


C2 


B1 


SPARE 




LRU til 


ACTIVE FAILED 

nWRE IB 


0 m m 

SPARE 


(Three of five lines used) See figure 19. 

• One line triad - each member of a main memory page sends 
data to a P/C over one member of the current 'I' line triad. 

(Three of five lines used) See figure 20. 

• One ’C line quad - four clocks (in phase locked loop) are 
necessary to prevent drift; each module selects three out of 
four active 'C lines to form its clock triad. 

(Four of five lines used) See figure 21. 

• All five 'P' lines are available to 'poll' the current bus 
triads and quad for access. 

The bus assignments above (as determined by the executive) are maintained 
by a dual redundant bus controller, called the Bus Guardian Unit (BGU), in 
each LRU. Bus assignment consists of the controller's latching of the 


VI-23 





ORIGINAL PAGE 13 
OF POOR QUALITY 


SYSTEM CONFIGURATION 


FTH? - INTERCONNECTION SCHEME (0 - LINES) 


FtOIKC 19 


correct lines in the bus interface. The bus interface and the two BGU's 
are not reconfigurable and, thus, must control all data flow to and from 
the components in their LRU, no matter how these components are configured 
throughout the system. 


3. 2. 1.2 


FTMP Task Schedulinc 


Tasks are scheduled from the common task pool. Upon successful completion 
of a task, a processor triad executes the next available task 
from the pool. This task will be run to completion, without interrupts, 
unless system self testing or error recovery routines require reconfiguration 
of the task's particular triad. 











VI-25 










ORIGINAL PAGE IS 
OF POOR QUALITY 

3,2.2 FTMP Fault Recovery 

Figures 22 and 23 demonstrate what steps the executive program would initiate 
in recovering from a faulty processor-to-meinory data transmission. In this 
example, processor II of Triad A is failed and is the source of the erroneous 
data. The data disagreement is detected by the hardware voters associated 
With the destination main-memory modules (a triad). These voters will 
automatically set hardware error-latch registers, indicating which bus line 
the faulty data bit was transmitted on. The executive program periodically 
scans these registers and, if an error-latch is set, initiates 
reconfiguration. This reconfiguration consists of disassociating suspected 
data source modules from suspected data busses; further voting discrepancies 
will pinpoint the source of faulty data. In addition, an error table is 
kept which tabulates the number and rate of faults caused by each of the 
reconfigurable modules in the system. This table is used to determine when 
a unit should be considered failed and, therefore, be brought off-line. 


FTMP RECONFIGURATION ALGORITHM 

— — — ^ 1 

• 

TRIAD 'A' SENDS DATA ON 0-LINES 1. 2 , 3 


• 

VOTER DETECTS DATA DISAGREEMENT AND SETS ERROR 
LATCHES 


• 

A PROCESSOR TRIAD NOTICES ERROR LATCH 


• 

ERROR LATCH LOCALIZES ERROR TO O-LINE 1 OR ITS 
ASSOCIATED PROCESSORS 


• 

TASK LIST WILL LOCALIZE ERROR TO PI 
BUS LINE 1 



NEXT MEMORY WRITE OCCURS 


• 

VOTER DETECTS DATA DISAGREEMENT AND SETS 
ERROR LATCHES 


• 

ERROR LATCH LOCALIZES ERROR TO O-LINE 2 OR ITS 
ASSOCIATED PROCESSORS 


• 

PREVIOUS ERROR EXPOSES (VIA ERROR TABLE) PI 
AS FAILED UNIT 

r .’5 ; 


Vl-26 


ORIGINAL PAGE 
OF POOR QUALITY 


FIHP SECOflflGURATIOfl 


TRIAD A 


TRIAD B 


TRIAD C 





FAILED 





Q ■ LINE 1 


1 







mmmmm 






P/C 


P/C 











IHIMI 


M/H 



P2' 






\ ' J 



P/C 




P/C 


v'SIr 









0 - LINE 3 

iORY MODULE 











P/C 


P/C 


P/C 




FAILED UNIT RESULTS IN VOTING DISCREPANCY 









0 - LINE 1 




P3 




■■ 









hhi 






FAILED 


HHH 





M/M 



PI 




EB 



n/n 










■■ 1 








' 0 - LINE 3 




“~pr" 








AFTER RF,CONFiGUPj\rio;j. NEXT VOTINfi DISCREPANCY EXPOSES FAILED UNIT 


1 








1 |J/!'U 43 


3.3 FTMP SYSTEM DEGRADATION 

The executive is also responsible for graceful system degradation due to 
exhaustion of spares. 

In the case of processor/cache modules, this entails dismantling one 
triple-redundant processor triad and designating its members as spares. 

This, of course, cannot be done if there is only one active triad. In this 
case, degradation consists of operating as a dual-redundant processor; further 
degradation will be catastrophic. 

There is no graceful degradation of clock generators; if ‘sss than four clock 
generators are available, synchronization cannot be guaranteed. Less than 

four clocks can be used but the system will then be susceptible to catastrophic 
timing failures. 

Because only one I/O port is necessary for system operation, up to nine failed 
ports can be tolerated. System performance will be degraded, however, in 


VI-27 















that active processors and sensors will be competing for access to the remaining 
ports. 

Memory page degradation consists of the following: 

• Since page 3 is not necessary for system operation, it may be dis- 
mantled and its members used as spares without degrading performance. 

• If a member of the 'page 1* triad fails, it must be replaced with a 
volatile spare and thus a degree of protection is lost. 

• As page 1 and page 2 memory modules are not interchangeable, failure of 
more than four modules will result in dual redundant configuration of the 
affected page. 

4.0 SIFT AND FTMP COMPARISONS 


The choice of a software approach for voting and for other fault-tolerant 
mechanisms in the SIFT system leads to some fundamental operational 
differences from the essentially hardware based fault-tolerant mechamisms 
of the FTMP. In addition, each system has some design constraints (hardware 
and software) which Ijmit or enhance its operational bounds, as well as 
serving to further differentiate the two systems. Several such features 
are noted, am their effects discussed, in the following two sections. 

4.1 SIFT Software Approach 

The use of non-specialized hardware along with a completely software based 
redundancy management scheme has several broad advantages. 

• The first and most obvious advantage is the ability to use 
various computer architectures in the realization of a SIFT 
system. This is possible because, as a software system, 

SIFT is a concept relating various pieces of hardware rather 
than being the hardware itself. 


VI28 



• The use of a standard micrecomputer as the main SIFT component 
results in a minimum number of reconfigurable parts. This 
has the dual advantage of providing more easily defined 
reconfiguration algorithms as well as resulting in a simpler, 
more reliable LRU. 

• The loose synchronization employed in a SIFT means less 
processor to processor data transfers will occur. This should 
result in a somewhat lower incidence of data path errors. 

• Finally, the system's flexibility is enhanced by its ability 
to dynamically control task redundancy. 

There are also several disadvantages to SIFT's software approach, not the 
least of which being the complexity and the inherent non-provability of the 
software algorithms themselves. Also, while the loose synchronization 
employed in a SIFT does reduce the number of data transfers, it does not 
result in less critical long term timing constraints. Four clocks are needed 
to meet the loose lOy.isec synchronization - the same number as are required 
for the tight bit-by-bit synchronization of an FTMP. Finally, the use of 
one reconfigurable component type means that the failure of part of an LRU 
results in the loss 'of that whole LRU. 

4.2 FTMP Hardware Approach 

The advantages of an FTMP over a SIFT consist, mainly, of benefits gained 
by the several specially designed hardware devices and the functional 
discreteness of these components within an LRU. 

For example, an FTMP can tolerate a number of failures in several LRU's 
without seriously degrading system performance. In particular, the ability 
to reconfigure sub-LRU components results in a complex combination of failed 
units being necessary to cause a whole LRU to be taken off line. 

The tight synchronization employed in FTMP, in conjunction with bit-by-bit 
voting, exposes faults before they can have a widespread effect. This 


VI29 



feature and the nearly exclusive use of TMR have the additional effect of 
making the FTMP at least conceptually more defined and, thus, more easily 
provable. 

There are, as well, several disadvantages to the FTMP approach. The number 
of reconfigurable modules and the interface complexity combine to form what 
may be a troublesome source of faults. This same component compiaxity is 
the source of a large amount of hidden software in FTMP, In fact, it is 
not clear that the reconfiguration and self test algorithms necessary to 
maintain the FTMP system integrity are any less complex and numerous than 
for the software based SIFT system. 

The FTMP is susceptable to two types of electrical failures. As was 
mentioned previously, the heavy data transfers necessary for bit-by-bit 
voting of all results may itself be a source of data errors. Also, switching 
failures may be somewhat common due to the large amount of bus latching 
required for reconfiguration as well as from the switching and loading 
required to bring spare modules on and off line. 

5.0 MAINTENANCE 

Automatic digital test equipment, such as the RCA EQUATE, can be used on an 
FTMP or a SIFT for field repair of components at the integrated circuit 
level. This ability is enhanced by the fact that both systems employ a great 
degree of physical isolation of functional units. The stumbling block to 
field repair is the problem of recertification of the failed component's 
LRU once the repair has been made. Field recertification would involve 
exercising the repaired system With a complete set of application programs 
- a procedure which neither system is currently equipped to perform. The 
solution to this problem would be to have available at repair stations a 
permanent SIFT or FTMP into which repaired LRU's could be inserted for 
recertification. A complete set of application and system diagnostic tests 
could then be run on the SIFT or FTMP. The loading of the test programs 
and the evaluation of data would require the use of an external minicomputer 
system, most likely on the order of a DEC POP 11/70. 


l ^ 


O 


(j 


o 




O 


O 


VI-30 


It can be said, then, that an FTFCS system would be field repairable, but 
not without a considerable investment In digital test equipment and 
minicomputers. 

An alternative repair procedure, which would ellm nate the need for field 
repair, is that failed LRU's be returned to the manufacturers on a *flat 
rate' exchange basis for repair and recertification. This policy would 
have to include stringent rules requiring a definite system defined failure 
before an LRU may be returned, thus avoiding an excessive repair shop flow 
as well as avoiding spurious failure rate data. 


6.0 TRENDS 

It is our judgement that SIFT or FTMP implementations, as comprehensive 
flight control processors, will not appear in commercial aircraft before 
1985. In order for such systems to appear before that time, a crash program, 
motivated perhaps by energy conservation, to push It Into the 757-767 series 
aircraft would have to be Implemented. As the 757-767 flight control systems 
have already been specified without monolithic fault-tolerance, this is not 
too likely. 

6.1 SIFT Trends 


Changes in technology in the late 1980 's will probably not affect SIFT 
conceptually if it proves practical in the first place. Cheaper memory and 
more powerful processors will, up to a point, create a potential for more 
powerful individual SIFT processors. Use of more than one SIFT system in 
tandem is a possibility. Complexity is a trap in SIFT because it requires 
proof of concept and implementation to achieve the reliabilities specified 
for the project. Hence, changes brought about by 1990 technology will be 
incorporated into SIFT if the inherent simplicity of the plan can be 
preserved. 

One possible use of SIFT in the 1980-1990 period is as a rather cheap method, 
in terms of hardware, of implementing a redundant system. A microprocessor 


based SIFT would be less expensive than many of the redundant microprocessor 
implementations which require fewer processors but more complicated 
interfaces, hardware voters, and built in configuration controllers or test 
hardware. Therefore, a SIFT might appear as a dedicated avionics computer, 
navigation computer, an active control system, engine controller, or ILS 
system, serving a narrower set of applications than those envisioned by the 
designers. 

6,2 FTMP Trends 

As with SIFT, late 1980's technology changes will probably not have a 
significant impact on the FTMP design concept, Changes that are likely to 
occur are in the areas of faster memories and processors, and smaller and 
more reliable components in general. (In fact, the FTMP LRU card count has 
been reduced during this study.) One possibility to be considered 
is that complete FTMP LRU's may, in the future, be reduced in size to a 
single printed circuit board or even a single integrated circuit chip. 
Integration of components beyond this level is unlikely as the concept of a 
separate, repairable LRU would be lost. 

As with the SIFT, several FTMP's might be used as dedicated or parallel 
fault- tolerant systems; one concept under consideration is the use of a 
parallel pair of FTMP's connected by a Unibus-like data link. 

However, unlike the SIFT system, the FTMP architecture is designed around a 
set of specialized hardware; hence, the ability to implement FTMP's using 
components other than the Collins Radio design is eliminated. 

7.0 PERIPHERALS 


An attempt has been made here to evaluate the effect of peripheral devices 
(sensors, actuators) on the operation or the reliability of either system. 

The reliability of the various peripherals will , for a 'proven' SIFT or FTMP, 
be the determinating factor in whether a fault-tolerant flight control system 
does or does not meet the required system specifications. While it is the 


yi-32 


ORIGINAL PAGE 13 
OF POOR QUALITY 


case that a standard fault- tolerant sensor/actuator configuration does not 
at this time exist, we believe that several present design trends will remain 
stable throughout the development of fault-tolerant active flight control 
systems. A few of these are; 


• The continued use of standard avionics devices for sensors 
and actuators - It is believed that the duty cycle for sensors 
and actuators in fault-tolerant systems will not greatly 
exceed the present norm. In addition, the reliability figures 
for individual components are high enough to allow the 
continued use of 'off-the-shelf' units. 

• The continued use of redundancy - Current designs for active 
controlled commercial aircraft make extensive use of 
redundancy at the actuator and sensor level. A novel 
variation on actuator redundancy is the Bendix dual mode 
actuator which operates both as a pneumatic and an electrical 
actuator. In the case of electrical or pneumatic signal 
failure^ there is a smooth transition to single mode operation 
(Reference 7). 


• The use of 'smart' devices - SIFT and FTMP are designed to 
perform sensor and actuator data voting within the central 
computer with the enhancement of mechanical voters at the 
actuator level. Full active control configured aircraft 
will probably employ some small processors at the sensor/ 
actuator level to perform such tasks as reasonableness of 
data checks, voting, and, in certain cases, dedicated data 
processing. 


8.0 


ADD 1 rj.QNAL 


As well as reviewing typical SIFT and FTMP concepts, two 

additional fault-tolerant computer designs were studied as example systems. 
The first, the AFTI-16 Digital Fly-by-Wire System is a TMR system designed 


VI-33 



ORIGINAL PAGE 18 
OF POOR QUALITY 


by Bendix Corporation to replace the present F-16 Quad Analog FBW system. 
The second example system is a non-flight control redundant computer, the 
C.vmp multiprocessor. 

8,1.0 AF T I -16 

The AFTI-16 flight control computer is a TMR system employing no spares but 
including a final analog back-up system (Reference 9). The system is being 
designed so as not to rely on the back-up system; therefore, the following 
discussion will not include the analog components. 

AFTI-16 System Description 

From a system point of view, the AFTI-16 appears as in figure 24. Here, 
the system does not differ fundamentally from the SIFT or the FTMP; it is 
essentially a black-box computer interfacing sensors and actuators. 


An I -IK DFCS 



?ICURC 24 





ORIGINAL PAGE IS 
OF POOR QUALITY 


The fault-tolerant nature of the AFTI-16 is revealed in figure 25. In this 
figure, it can be seen that the AFTI-16 shares many features with the SIFT 
system; 


• Both operate mainly under TMR. 


• Both communicate internally to write-only areas via broadcast 
busses. 

• Both handle I/O Cto sensors and actuators) via bus lines from 
each channel. 

• Both have external 1553 data links— In the case of SIFT, for 
I/O; in the case of AFTI-16, for Fire Control communication. 

• Both have only one reconfigurable module: a combination of 
Processor, Memory, and I/O Port. 


TO/FRQM 
COMPUTER -i 



DRIVES 


AND 

CONTflOl, 

INPUTS 


DRIVES 


AND 

CONTflOl. 

INPUTS 


DRIVES 


AND 

CONTROL 

INPUTS 


TO/FHOM 

-COMPUTER 


SYSTEM AflCHITECTURE 
TRIPLE redundant SYSTEM 


INTERCOMPUTER DATA 
LINKS iBROADCAStl ^ 




IGS3 DATA LINK 


ANALOQ/OISCRETE INPUTS 
AND Outputs 


fICUHE 25 


Vl-35 




ORIGINAL PAGE IS 
OF POOR QUALITY 


The fundamental differences between a SIFT and an AFTI-16 are the number and 
thus the configuration of reconfigurable modules, the varying redundancy of 
tasks, and the difference in overall complexity. The AFTI-16 relies on three 
processor modules with software voting of outputs but incorporates no spares 
or multiple channels. Because of ♦•he lack of spares, reconfiguration consists 
of system degradation, i.e,, .dropping of processor modules. System degrada- 
tion occurs after even one failure, the result being a dual redundant system. 

The second failure is tolerated by software 'reasonableness of data' tests 
to determine which of the two active modules is failed. In addition, there 
is the aforementioned analog back-up system; this back-up is not considered in 
the manufacturers analysis of system reliability and therefore is not considered 
necessary for the probability of a successful mission to be within the accepted 
bounds. 

8.1.2 AFTI-16 Component Characteristics 

A fully configured AFTI-16 flight control computer system consists of three 
reconfigurable Flight Control Computers (FLCC's) and one non-reconfigurable 
Actuator Interface Unit (AIU). (The purpose of the AIU is to interface the 
FLCC's with the set of nonredundant actuators.) The AFTI-16 FLCC is built 
around the BOX 930 processor, another feature shared by the SIFT system. 

Figure 26 contains the characteristics of the AFTI-16 reconfigurable module, 
the FLCr 

8.2.0 COMPUTER-VOTED MULTIPROCESSOR (C.vmp) 

The C.vmp had as a design motivation industrial applications where 
availability, inexperienced users, variable criticality of tasks, and 
throughput needs are prime considerations (Reference 10). 

8.2.1 C.vmp System Overview 

Figure 27 shows the system view of the C.vmp. Three processors are 
connected, via parallel -bit bus lines, to three memories and three disk 
drives. The processors may run as three separate channels for maximum 
throughput (communicating via Parallel Line Units), or they may be switched, 
by operator or program control, into one TMR channel with voting performed 


VU36 


AFTI-16 FLCC Characteristics 


• Component $ize 

- Dimensions: 16.00" x 8.1" x 4.88" 

- Weight: 14 pounds 

• Environment: Forward, Avionics Compartment 

• Power Requirements: Dual Redundant 28 Volt Line 

W/24 V Battery Back-Up 

• Estimated MTBF: 2200 hr MTBF 

• Interconnections: Broadcast/Write Only Interface 

to Two Other FLCC's 

• Cost: $36,000 

• Throughput: 500 KOPS Gibson Mix-Raw 

• Inputs: Analog Sensor Lines 

• Outputs: Analog Sensor Lines 


• Minimum Complement: One 

• Standard Complement: 3 

• Maximum Complement: 3 

Figure 26 


(by V in figure 27) on all data transfers to and from memory. Figure 28 
shows the bus lines and multiplexing units necessary to accomplish parallel 
or triad (voted) processing and data transfers. 

System degradation, in the event of hard failures, consists of dropping failed 
channels and switching to parallel processor mode. 

8.2.2 G.vmp Hardware 

The reconfigurable module in the C.vmp system is the processor/memory module. 
The voter is not reconfigurable. The processor is a DEC LSI-11 microcomputer 
with seven 4K RAM memories per processor. Figure 29 gives the characteristics 
of the C-vmp processor/memory. 


vr-37 












ORIGINAL PAGE IS 
OF POOR QUALITY 

C.VMP PROCESSOR 

• Size; Quad Height Board 

• Environment; Control Room 

• Power Requirements: 14 amps 

• Physical Interconnections: DEC LSI-11 QBUS, Interface to two 

other processors, voter, and disk 
drive 

• Reliability: 7,000 hours MTBF 

• Cost: $2,500 

• Throughput; 250 KOPS 

• Input: Parallel Bit, Voted DEC LSI-11 QBUS 

• Output: Parallel Bit, Voted DEC LSI-11 QBUS 



• Complement: 3 

• Minimum Complement: 1 

I 

1 

FIGURE 29 I 

I 

i 

I 

I 

I 

i 

9.0 REFERENCES I 

i 

I 

1. Wensley, J. H. et al , "Design of a Fault Tolerant Airborne Digital 
Computer, Volume I - Architecture", Final Report NASA Contract NASl-10920, 

October 1973. 

2. Ratner, R.S. et al , "Design of a Fault tolerant Airborne Digital Computer, 

Volume II - Computational Requirements and Technology", Final Report NASA 
Contract NASl-10920, October 1973. 


Vl.39 



3. Avizienis, A., "FauU-tolerant Computing - Progress, Problems and Prospects," 
Proc. IFIP Congress 1977, Toronto, Canada pp 405-420* 

4. Wensley, 0. H. et al , "SIFT: Design and Analysis of a Fault-Tolerant 
Computer for Aircraft Control", Proceedings of the IEEE, Vol 66, No. 10, 
October 1978, p 1240-1255. 

5. Forman, P. et al , "Multiprocessor Architecture for (SIFT) Flight Control 
and Avionics Computer", Abstract, Bendix Corporation, Flight Systems 
Division, Teterboro, New Jersey, March 1979. 

6. F.A.A. Certification Regulations Information Circular; Part 25; Para. 671, 
672, 1309, 1435. 

7. R. E. Feucht, P. Forman, R. Krehley, "Advanced Flight Control Actuation 
System (AFACS-E-P)". MAOC-77001-60, Bendix Corporation, June 1978. 

8. Hopkins, A. L. et al , "FTMP - A Highly Reliable Fault-Tolerant Multiprocessor 
for Aircraft", Proceedings of the IEEE, Vol 66, No. 10, October 1978, pp 
1221-1239. 


9. AFTI-16 Digital Fly-by-Wire System Technical Overview, Bendix Co. Flight 
Systems Division, May 24, 1979. 


10. Siewiorek.D, P. et al , Reliability of Multiprocessor Systems: A Case Study 

of C.mmp, Cm* and C.vmp, Department of Computer Science, Carnegi e-Mel Ion 
University, Document No. CMU-CS-78-143, pp 39-69. 


ORIGINAL PAGE IS 
OF POOR QUALITY 


VI-40 



APPEHDIX Vn 
REPAIR SHOP SIMULATION 


This ai^endix contains details of a typical repair shop simulation that was developed 
to gain experience with SIMSCRIPT programming and to form a part of the Phase II 
CBDOM program. 

The data flow diagram illustrates the processes performed and the interfaces between 
various processes. On the data flow diagram: 

Circles: represent SIMSCRIPT PROCESSES, EVEN'K, or ROUTINES 

Arrows: represents jobs flowing through the system 

; represent files or storage areas 

A sample program execution and a listing of repair shop codes also are provided. 


original PAQf 

OF POOR quality 






Vll-2 






SAMPLE- REPAIR SHOP SIHUUTION RUN 


dslgo 

X AVIONICS JOB SHOP SIMULATION 

INPUT NUMBER OF ATE, REPAIR BENCHES, AND TEST BENCHES 
I>2 2 2 

INPUT Kl, K2, K3, K4, AND K5 
I>30 30 30 30 30 

INPUT RUN TIME IN DAYS 
I>60 

INPUT 18 EQUIPMENT TYPES (1=ATE,2=TB,3»EITHER) 

I>1 111112 2 2222333333 
INPUT MEAN NUMBER OF ARRIVALS PER DAY 

I>2 

INPUT PROB. FAULTS CONFIRMED, PROB. REPAIR IS GOOD 
I>.9 .9 

INPUT RANDOM STEP VARIABLES (TERMINATE WITH ASTERISKS) 
INPUT COMPONENT TYPE DISTR. 

I>.1 1 .1 3 .1 5 .1 7 .1 9 .1 11 .1 13 .1 15 
I>.2 18 * 

INPUT PRIORITY DISTRIBUTION 
I>.8 1.23* 

INPUT EQ.TYPE DIST. FOR COMPONENT TYPE 18 
I>.4 1 .4 2 .2 3 * 

TRACE OPTION ? (YES OR NO) 

I>no 

LIST INPUT DATA ? (YES OR NO) 
l>yes 


ORlGlNAt PAGE IS 
OF POOR QUALFTY 


VII-3 


ORIGINAL PAOI II 
OF POOR QUALITY 


SAMPLE OF OUTPUT FOR REPAIR SHOP SIMULATION 

NUMBER OF 


ATE 

a 

2 







RB 

- 

2 







TB 

= 

2 







K1 - 

MAX 

P3 DELAY 

TIME BEFORE INTERRUPT 

OF 

ATE 

s 

30 

MIN 

K2 - 

MAX 

P3 DELAY 

TIME BEFORE INTERRUPT 

OF 

TB 

= 

30 

MIN 

K3 - 

MAX 

OVERTIME 

AUTHORIZED FOR ACTIVE 

JOBS 

— 

30 

MIN 

K4 - 

MAX 

TIME FOR 

REPAIR AT ATE 



= 

30 

MIN 

K5 - 

MAX 

TIME FOR 

POST REPAIR TEST AT ATE 



30 

MIN 

COMPONENT 

EQ. TYPE COMPONENT BQ.TYPE 

COMPONENT 

BQ.TYPE 


c? 


1 

i 

2 

1 

3 

1 


4 

1 

5 

1 

6 

1 


7 

2 

8 

2 

9 

2 

f 

10 

2 

11 

2 

12 

2 


13 

3 

14 

3 

15 

3 


16 

3 

17 

3 

18 

3 


MEAN INTERARRIVAL TIME = 

12.00 HOURS 



C 

PROB. FAULT 

CONFIRMED = 

.90 PROB. 

FAULT 

REPAIRED = .90 




DISTRIBUTION OF COMPONENT TYPES (CUM) 
PROBABILITY TYPE 


1 

3 

5 

7 

9 

11 ^ 

13 

15 

18 


DISTRIBUTION OF PRIORITIES (CUM) 


PROBABILITY 

PRIORITY 

.80 

1 

1.00 

3 


DISTRIBUTION OF 

BQ.TYPE 

FOR COMPONENT TYPE 18 

PROBABILITY 

EQ.TYPB 


.40 

1 


.80 

2 


1.00 

3 




VI14 


.10 

.20 

.30 

.40 

.50 

.60 

.70 

.80 

1.00 


ORIGINAL page IS 
OF POOR QUALITV 


SIMULATION ENDED AT 60- 0: 0 NO. JOBS « 10<’ 


HISTOGRAM OF THROUGHPUT TIMES BY COMPONENT TYPE 


COMPONENT TYPE 


1 


2 

3 


4 

5 


6 


7 


8 


9 

HOURS 

- — 

— . 


• — 



— 


— 

— 

- — 

-- - 


— 


— 

4 


0 


0 

0 


0 

1 


0 


0 


0 


0 

8 


0 


0 

1 


0 

1 


0 


0 


0 


0 

x2 


1 


0 

0 


0 

0 


0 


0 


0 


0 

16 


1 


0 

3 


0 

2 


0 


0 


0 


0 

20 


1 


0 

0 


0 

1 


0 


0 


0 


0 

24 


1 


0 

1 


0 

1 


0 


0 


0 


0 

28 


0 


0 

1 


0 

0 


0 


0 


0 


0 

32 


0 


0 

0 


0 

0 


0 


0 


0 


1 

36 


0 


0 

2 


0 

0 


0 


0 


0 


0 

40 


0 


0 

1 


0 

0 


0 


0 


0 


1 

44 


0 


0 

0 


0 

1 


0 


0 


0 


0 

48 


0 


0 

1 


0 

2 


0 


0 


0 


1 

52 


1 


0 

0 


0 

0 


0 


0 


0 


0 

56 


0 


0 

0 


0 

1 


0 


0 


0 


0 

60 


0 


0 

2 


0 

0 


0 


0 


0 


0 

64 


1 


0 

0 


0 

1 


0 


0 


0 


0 

68 


0 


0 

0 


0 

0 


0 


0 


0 


0 

72 


0 


0 

1 


0 

0 


0 


0 


0 


0 

76 


0 


0 

0 


0 

0 


0 


2 


0 


0 

80 


0 


0 

0 


0 

0 


0 


0 


0 


0 

84 


0 


0 

0 


0 

0 


0 


0 


0 


0 

88 


1 


0 

0 


0 

0 


0 


0 


0 


0 

92 


0 


0 

0 


0 

1 


0 


1 


0 


0 

96 


0 


0 

0 


0 

0 


0 


1 


0 


0 

100 


0 


0 

0 


0 

0 


0 


3 


0 


4 

AVERAGE 

37 

.4 

0 

• 

33.0 

0 

• 

34.5 

0 

• 

122 

.4 

0 

• 

120 

.2 

VARIANCE 

689 

.7 

0 

• 

369.6 

0 

• 

642.6 

0 

• 

2202 

.4 

0 

. 5180 

.0 

MAXIMUM 

86 

.2 

0 

• 

68.0 

0 

• 

88.1 

0 

• 

188 

.8 

0 

• 

195 

.8 

NUMBER 


7 


0 

13 


0 

12 


0 


7 


0 


7 


Vll-S 



ORIGINAL PAGE^ 
OF POOR QUALITY 


HISTOGRAM OF THROUGHPUT TIMES BY COMPONENT TYPE 
COMPONENT TYPE 10 11 12 13 14 15 16 17 18 


HOURS 


— 

— . 


— 


— 


— 

— - 



-- 


4 


0 

0 


0 

1 


0 


0 

0 


0 

1 

8 


0 

0 


0 

1 


0 


1 

0 


0 

0 

12 


0 

0 


0 

1 


0 


1 

0 


0 

1 

16 


0 

0 


0 

1 


0 


0 

0 


0 

1 

20 


0 

1 


0 

4 


0 


1 

0 


0 

0 

24 


0 

0 


0 

4 


0 


2 

0 


0 

0 

28 


0 

0 


0 

2 


0 


0 

0 


0 

0 

32 


0 

0 


0 

0 


0 


0 

0 


0 

1 

36 


0 

2 


0 

1 


0 


0 

0 


0 

0 

40 


0 

0 


0 

0 


0 


2 

0 


0 

1 

44 


0 

0 


0 

0 


0 


1 

0 


0 

1 

48 


i/ 

1 


0 

0 


0 


0 

0 


0 

0 

52 


0 

0 


0 

0 


0 


0 

0 


0 

1 

56 


0 

0 


0 

0 


0 


0 

0 


0 

0 

60 


0 

1 


0 

0 


0 


0 

0 


0 

1 

64 


0 

0 


0 

1 


0 


0 

0 


0 

0 

68 


0 

1 


0 

0 


0 


0 

0 


0 

0 

72 


0 

0 


0 

0 


0 


0 

0 


0 

1 

76 


0 

0 


0 

0 


0 


0 

0 


0 

0 

80 


0 

0 


0 

0 


0 


0 

0 


0 

0 

84 


0 

1 


0 

0 


0 


0 

0 


0 

1 

88 


0 

0 


0 

0 


0 


0 

0 


0 

0 

92 


0 

0 


0 

0 


0 


1 

0 


0 

0 

96 


0 

0 


0 

0 


0 


0 

0 


0 

0 

100 


0 

7 


0 

0 


0 


0 

0 


0 

7 

AVERAGE 

0 

• 

114.3 

0 

• 

21.5 

0 

• 

31 

.6 

0. 

0 

• 

84.5 

VARIANCE 

0 

. 7605.0 

0 

• 

171.0 

0 

• 

560 

.7 

0. 

0 

. 3874.7 

MAXIMUM 

0 

• 

337.9 

0 

• 

63.9 

0 

• 

88 

.4 

0. 

0 

• 

203.9 

NUMBER 


0 

14 


0 

16 


0 


9 

0 


0 

17 


VU-6 



ORIGfNAl PAGE IS 
OF POOR QUALITY 


HISTOGRAM OP MANHOURS BY COMPONENT TYPE 


COMPONENT TYPE 

1 

2 

3 

4 

5 

6 

7 

8 

9 

HOURS 



— ■ 


- — - - 

— 




2 

1 

0 

0 

0 

2 

0 

0 

0 

0 

4 

0 

0 

1 

0 

1 

0 

0 

0 

0 

6 

4 

0 

6 

0 

6 

0 

0 

0 

0 

8 

2 

0 

6 

0 

3 

0 

0 

0 

0 

10 

0 

0 

0 

0 

0 

0 

0 

0 

2 

12 

0 

0 

0 

0 

0 

0 

1 

0 

0 

14 

0 

0 

0 

0 

0 

0 

1 

0 

2 

16 

0 

0 

0 

0 

0 

0 

3 

0 

1 

18 

0 

0 

0 

0 

0 

0 

0 

0 

0 

20 

0 

0 

0 

0 

0 

0 

1 

0 

1 

22 

0 

0 

0 

0 

0 

0 

0 

0 

0 

24 

0 

0 

0 

0 

0 

0 

0 

0 

i 

26 

0 

0 

0 

0 

0 I 

0 

1 

0 

0 

AVERAGE 

5.0 

0. 

5.6 

0. 

4.6 

0. 

16.4 

0. 

14.3 

VARIANCE 

2.2 

0. 

1.6 

0. 

4.1 

0. 

18.2 

0, 

20.7 

MAXIMUM 

6.4 

0. 

7.5 

0. 

7.3 

0. 

25.7 

0. 

23.0 

NUMBER 

7 

0 

13 

0 

12 

0 

7 

0 

7 


HISTOGRAM OP 
COMPONENT TYPE 

MANHOURS BY 
10 11 

COMPONENT ' 
12 13 

TYPE 

14 

15 

16 

17 

18 

HOURS 


— . 





— - 





2 

G 

0 

0 

0 

0 

0 

0 

0 

1 

4 

0 

0 

0 

1 

0 

1 

0 

0 

1 

6 

0 

1 

0 

9 

0 

4 

0 

0 

1 

8 

0 

0 

0 

6 

0 

4 

0 

0 

3 

10 

0 

1 

0 

0 

0 

0 

0 

0 

3 

12 

0 

2 

0 

0 

0 

0 

0 

0 

0 

14 

0 

3 

0 

0 

0 

0 

0 

0 

4 

16 

0 

1 

0 

0 

0 

0 

0 

0 

1 

18 

0 

1 

0 

0 

0 

0 

0 

0 

2 

20 

0 

1 

0 

0 

0 

0 

0 

0 

0 

22 

0 

2 

0 

0 

0 

0 

0 

0 

1 

24 

0 

0 

0 

0 

0 

0 

0 

0 

0 

26 

0 

1 

0 

0 

0 

0 

0 

0 

0 

AVERAGE 

0. 

15.8 

0. 

5.8 

0. 

5.5 

0. 

0. 

10.6 

VARIANCE 

0. 

34.1 

0. 

1.4 

0. 

1.6 

0. 

0. 

27.0 

MAXIMUM 

0. 

26.0 

0. 

7.5 

0. 

7.2 

0. 

0. 

21.5 

NUMBER 

0 

14 

0 

16 

0 

9 

0 

0 

17 


VII-7 


ORIGINAL PAGE IS 
OF POOR QUALITY 

REPAIR SHOP SIMSCRIPT PROGRAM CODE 


' ' PGM - 

' ' TITLE ; AVIONICS JOB SHOP SIMULATION 

• ' ANALYST : DAN STREXFFERT 
•' G-4420 

’ ’ engineer ; JOHN ROSE 

•’ DATE : AUGUST, 1979 

’ ’ ABSTRACT : 

' ‘ THE REPAIR SHOP MODEL SIMULATES THE TEST AND REPAIR OP THE 
’’ AVIONIC EQUIPMENT USED ABOARD AN AIRLINE'S FLEET. TWO TYPES 
'' OF TEST EQUIPMENT ARE EMPLOYED BY THE REPAIR SHOP, AUTOMATIC 
'' TEST EQUIPMENT (ATE) AND A MANUAL TEST BENCH (TB). INPUT TO 
'' THE MODEL SPECIFIES WHICH TYPE OF TEST EQUIPMENT IS REQUIRED 
' ' BY EACH COMPONENT. A REPAIR PRIORITY IS USED TO INFLUENCE THE 
" COMPONENTS FLOW THROUGH THE REPAIR SHOP. THE MODEL OPERATES 
' ' ONE SHIFT PER 5 - DAY WORK WEEK. OVERTIME LABOR IS ALLOCATED 
’ ' TO ALLEVIATE REPAIR BACKLOG. 


VIl-8 



\ 


ORIGINAL PAGE !S 
OF POOR QUALITY 

PRR AMBLE 

NORMALLY MODE IS REAL 

PROCESSES INCLUDE 
ARRIVAL 

AND SHIFT. CHANGE 

EVERY ATE ’ ' AUTOMATIC TEST EQUIPMENT 

HAS A aOB.ATE ’’ JOB CAUSING { V 

AND MAY BELONG TO THE ATE. INTERRUPT 
EVERY RB ' 'REPAIR BENCH 

HAS A JOB.RB '' JOB CAUSING 

AND MAY BELONG TO THE RB. INTERRUPT 
EVERY TB ’ 'TEST BENCH 

HAS A JOB.TB '' JOB CAUSING 

AND MAY BELONG TO THE TB. INTERRUPT 
DEFINE JOB. ATE, JOB.RB, AND JOB.TB AS INTEGER VARIABLES 

I 

EVENT NOTICES INCLUDE | 

Q1 . MON , i 

Q2.MON, I 

Q3.MON, 1 

SIM. END, I 

AND END. SHIFT i 

EVERY END. JOB HAS A JOB. END 

DEFINE JOB. END AS AN INTEGER VARIABLE i 

f; 

TEMPORARY ENTITIES ‘ 

EVERY JOB HAS I 

A NUMBER, ''ARRIVAL NUMBER f 

A TYPE, ''COMPONENT TYPE (1-18) 

AN EQ.TYPE, '' EQUIPMENT TYPE (1=ATE, 2=TB, 3=BOTH) 

A PRTY , ' ' 1 , 2 , OR 3 

A RANK , ' ' FOR Q2 

A TM.PRE. REPAIR, ''MINUTES 
A TM. REPAIR, 

A TM. POST. REPAIR, 

A STATUS, • '1=PRE. REPAIR, 2=REPAIR, 3=POST .REPAIR 

A ST ART. TIME, 

MAY BELONG TO THE Ql , 

MAY BELONG TO THE Q2 , 

MAY BELONG TO THE Q3 

THE SYSTEM OWNS A Ql , A Q2, AND A Q3 
DEFINE Ql AS A SET RANKED BY HIGH PRTY 

DEFINE Q2 AS A SET RANKED BY HIGH RANK 

DEFINE Q3 AS A SET RANKED BY HIGH PRTY 

THE SYSTEM OWNS A ATE . INTERRUPT , A RB . INTERRUPT, AND A TB. INTERRUPT 
DEFINE ATE. INTERRUPT AS A LIFO SET 
DEFINE RB. INTERRUPT AS A LIFO SET 
DEFINE TB. INTERRUPT AS A LIFO SET 

DEFINE END. TIME AS A REAL VARIABLE i- 



VIl-9 


DEFINE SHIFT AS AN INTEGER VARIABLE ''0=OVER, X«ON 
DEFINE 

CHECK. PROB, '’PROB. FAULT CONFIRMED 

REPAIR. PROB ''PROB. FAULT REPAIRED 

AS REAL VARIABLES 

DEFINE NO. ATE, NO.RB, AND NO.TB AS INTEGER VARIABLES 

DEFINE NO. ARRIVALS AS AN INTEGER VARIABLE 

GENERATE LIST ROUTINES 
DEFINE 

Kl, '• MAX P3 DELAY TIME BEFORE INTERRUPT OP ATE 

K2, '» MAX P3 DELAY TIME BEFORE INTERRUPT OP TEST BENCH 

K3, '• MAX OVERTIME AUTHORIZED FOR ACTIVE JOBS 

K4 , ' ' MAX TIME FOR REPAIR AT ATE 

K5 ' ’ MAX TIME FOR IMMEDIATE POST REPAIR TEST AT ATE 

AS INTEGER VARIABLES ' ' ALL IN MINUTES 

DEFINE CTIME TO MEAN NDAY. F ( TIME .V ), HOUR . F (TIME .V ), MINUTE . F (TIME .V ) 

PRIORITY ORDER IS 
END. JOB, 

SIM. END, 

ATE, 

RB, 

TB, 

SHI FT. CHANGE, 

ARRIVAL, 

END. SHIFT, 

Q3 .MON, 

02 . MON , 

01 . MON 

PERMANENT ENTITIES 

EVERY STATISTIC ’’ARRAYS FOR TALLY STATISTICS 

HAS A MNHRS 
AND A THRPT 

TALLY ' 'THROUGHPUT TIME 

NO. THRPT AS THE NUMBER, 

AV. THRPT AS THE AVERAGE, 

VA. THRPT AS THE VARIANCE, 

MX. THRPT AS THE MAXIMUM, 

HS.THRPT(0 TO 96 BY 4) AS THE HISTOGRAM 
OF THRPT 

TALLY ' ' MANHOURS 

NO. MNHRS AS THE NUMBER, 

AV, MNHRS AS THE AVERAGE, 

VA. MNHRS AS THE VARIANCE, 

MX. MNHRS AS THE MAXIMUM, 

HS. MNHRS (0 TO 48 BY 2) AS THE HISTOGRAM 
OP MNHRS 


VIHO ORIGINAL PAGE IS 

OF POOR QUALITY 



DEFINE CO. EQ. TYPE AS A 1 -DIMENSIONAL ARRAY 
TYPE 


* I 


EQ.TYPE BY COMPONENT 


THE SYSTEM HAS A RN.TYPE RANDOM STEP VARIABLE ''COMP. TYPE DIST. 

THE SYSTEM HAS A RN.PRTY RANDOM STEP VARIABLE ' 'PRTY DISTR. 

THE SYSTEM HAS A RN.18 RANDOM STEP VARIABLE ''EQ.TYPE DiST FOR TY 

PE 18 

DEFINE RN.TYPE, RN.PRTY, AND RN.18 AS REAL VARIABLES 


DEFINE MIAT AS A REAL VARIABLE 
END 


I I 


MEAN INTERARRIVAL TIME (HOURS) 


OWGINft'- 
OF POOR QUR'-'” 


VIM I 


MAIN 

NOW INITIALIZE 
CALL INPUT 

ACTIVATE AN ARRIVAL IN 8 HOURS 
ACTIVATE A SHIFT. CHANGE IN 8 HOURS 
ACTIVATE AN SIM. END IN END. TIME DAYS 
START SIMULATION 
END 


ROUTINE TO INITIALIZE 

CREATE EACH STATISTIC(18 ) 
RESERVE CO. EQ. TYPE AS 18 
LET LINES. V - 100000 

END 


ROUTINE TO SET. FARM GIVEN JOB. FARM 

•' THIS ROUTINE INITIALIZES JOBS ENTERING THE REPAIR SHOP. 

DEFINE JOB. FARM AS AN INTEGER VARIABLE 
LET STATUSJOB.PARM) = 1 'PR.RPAR 
END 


ORIGINM. WGE « 
OF POOR QOAUTY 


ORIGINAL PAGE IS 
OF POOR QUALITY 


ROUTINE FOR INPUT 

DEFINE ANS AS AN AF-iPHA VARIABLE 

PRINT 2 LINES THUS 

AVIONICS JOB SHOP SIMULATION 

PRINT 1 LINE THUS 

INPUT NUMBER OF ATE, REPAIR BENCHES, AND TEST BENCHES 

READ NO. ATE, NO.RB, AND NO.TB 

PRINT 1 LINE THUS 

INPUT Kl, K2, K3, K4, AND K5 

READ Kl, K2, K3, K4 , AND K5 

PRINT 1 LINE THUS 

INPUT RUN TIME IN DAYS 

READ END. TIME 

PRINT 1 LINE THUS 

INPUT 18 EQUIPMENT TYPES (1=ATE,2=TB,3=EITHER) 

READ CO. EQ. TYPE 
PRINT 1 LINE THUS 

INPUT MEAN NUMBER OF ARRIVALS PER DAY 
READ MIAT 

LET MIAT = 24. /MIAT '' INTERARRIVAL TIME 
PRINT 1 LINE THUS 

INPUT PROS. FAULTS CONFIRMED, PROB. REPAIR IS GOOD 
READ CHECK. PROB, REPAIR. PROB 
PRINT 1 LINE THUS 

INPUT RANDOM STEP VARIABLES (TERMINATE WITH ASTERISKS) 
PRINT 1 LINE THUS 

INPUT COMPONENT TYPE DISTR. 

READ RN.TYPE 
PRINT 1 LINE THUS 

INPUT PRIORITY DISTRIBUTION 
READ RN.PRTY 
PRINT 1 LINE THUS 

INPUT EQ.TYPE DIST. FOR COMPONENT TYPE 18 
READ RN.18 
PRINT 1 LINES THUS 
TRACE OPTION ? (YES OR NO) 

P,EAD ANS 
IF AN’S = "YES" 

LET BETWEEN. V = ’TRACE* 

ALWAYS 

PRINT 1 LINE THUS 

LIST INPUT DATA ? (YES OR NO) 

READ ANS 
IP ANS = "YES" 

CALL PR. INPUT 
ALWAYS 
END 


VIM 3 



fl 


i’OUTINE TO PR. INPUT 


ORIGINAL PAGE IS 
OF POOR QUALITY 



DEFINE I AS AN INTEGER VARIABLE 

PRINT 4 DINES WITH NO. ATE, NO.RB, AND NO.TB 
THUS 

NUMBER OP 
ATE * * 

RB = * ? 

TB x f f 

SKIP 1 DINE i 

PRINT 5 DINES WITH K1,K2,K3,K4 AND K5 

THUS : 

K1 - MAX P3 DEDAY TIME BEFORE INTERRUPT OP ATE ~ * MIN 

K2 - MAX P3 DEDAY TIME BEFORE INTERRUPT OF TB = * MIN I 

K3 - MAX OVERTIME AUTHORIZED FOR ACTIVE JOBS * * MIN ? 4 

K4 - MAX TIME FOR REPAIR AT ATE = * MIN i 

K5 ~ MAX TIME FOR POST REPAIR TEST AT ATE = * MIN 

SKIP a DINES 
PRINT 2 DINES THUS 

COMPONENT EQ. TYPE COMPONENT EQ.TYPE COMPONENT EQ.TYPE 
FOR I = 1 TO 16 BY 3 

PRINT 1 LINE WITH I, CO. EQ.TYPE(I ) , I+l^ CO.EQ,TYPE(l+l) , 

1+2, CO,EQ.TYPE(I+2) THUS 

it -k k * k k 

SKIP 2 DINES 

PRINT 1 DINE WITH MIAT THUS ^ 

MEAN INTERARRIVAD TIME = * HOURS 

SKIP 1 LINE 

PRINT 1 DINE WITH CHECK. PROB AND REPAIR. PROB THUS 
PROB. FAULT CONFIRMED = .** PROB. FAULT REPAIRED ^ 

SKIP 2 LINES 
PRINT 3 DINES THUS 

DISTRIBUTION OP COMPONENT TYPES (CUM) ' i 

PROBABILITY TYPE i 


FOR BACH RANDOM. E IN RN.TYPE 

PRINT 1 LINE WITH PROB. A AND RVALUE. A THUS 

k kk k 

SKIP 2 LINES 

PRINT 3 DINES THUS 

DISTRIBUTION OF PRIORITIES (CUM) 

PROBABILITY PRIORITY 

FOR EACH RANDOM. E IN RN.PRTY 

PRINT 1 LINE WITH PROB. A AND RVALUE. A THUS 

k ^kk k 

SKIP 2 LINES 
PRINT 3 LINES THUS 

DISTRIBUTION OF EQ.TYPE FOR COMPONENT TYPE 18 
PROBABILITY EO.TYPB 

FOR BACH RAN DOM. E IN RN.18 

PRINT 1 LINE WITH PROS, A AND RVALUE. A THUS 

k kk k 


END 


VIM 4 



Op'fJJJfL page tS 
OP POOR QUALIT? 


PROCESS ARRIVAL 

» • THIS PROCESS GENERATES REPAIR JOBS AT EXPONENTIALS DISTRIBUTED 
•' INTERARRIVAL TIMES. JOBS ARE ASSIGNED INITIAL PARAMETERS, 

•' FILED IN QX, AND INITIATED IP POSSIBLE. 

DEFINE WAIT.TM AS A REAL VARIABLE 

UNTIL TIME.V GT END. TIME 
DO 

•rbgomp' 

LET WAIT.TM p* EXPONENTIAL. P(MIAT, 4 ) 

IP WAIT.TM GT 8.*MIAT » 'TRUNC. EXPON. 

GO TO RECOMP 
ELSE 

WAIT WAIT.TM HOURS 
ADD 1 TO NO. ARRIVALS 
CREATE A JOB 
LET NUMBER =•' NO. ARRIVALS 
LET TYPE = RN.TYPE 
IP TYPE - 18 

LET EQ.TYPE = RN.18 
ELSE 

LET EQ.TYPE “ CO .EQ.TYPE (TYPE) 

ALWAYS 

LET PRTY - RN.PRTY 
LET START. TIME « TIMB.V 
CALL SET.PARM GIVING JOB 
IP BETWEEN. V = ’TRACE’ 

CALL PRINT. JOB 
ALWAYS 

FILE JOB IN Q1 

SCHEDULE A Ql.MON NOW ’’ SEND JOB TO ATE OR TB IF POSSIBLE 
LOOP 

END 


V1M5 


ORIGINAL PAGE 18 
OF POOR QUALITY 


PROCESS ATE "AUTOMATIC TEST EQUIPMENT 

' • THIS PROCESS SIMULATES THE WORK DONE AT THE ATE. 

IF STATUS (JOB. ATE) - 1 "P RE. REPAIR 

LET TM.PRE.REPAIR(JOB.ATB) * UNIFORM.F( . 2 ^ 4 . , 5 ) * 60. 

WORK TM.PRE.REPAIR(JOB.ATE) MINUTES 

IF RANDOM. F(l) LE CHECK.PROB "FAULT CONFIRMED ? 

LET STATUS (JOB. ATE) = 2 "REPAIR 
ELSE 

SCHEDULE AN END. JOB GIVING JOB. ATE NOW 
GO TO RETRN 
ALWAYS 
ALWAYS 

IF STATUS (JOB. ATE) = 2 "REPAIR 

LET TM.REPAIR(JOB.ATE) = UNIFORM.P( .5 ,4 . ,6 ) * 60. 

IP TM. REPAIR (JOB. ATE) LT K4 

WORK TM.REPAIR(JOB.ATE) MINUTES "IMMEDIATE REPAIR AT ATE. 

LET STATUS (JOB. ATE) = 3 "POST. REPAIR 

LET TM. POST. REPAIR( JOB. ATE) si UNIFORM .F( . 5 ,2 . ,7 ) ‘ * 60. 

IF TM. POST. REPAIR( JOB. ATE) LT K5 

WORK TM. POST. REPAIR( JOB. ATE) MINUTES "IMMEDIATE POST REPAIR 
TEST AT ATE. 

CALL CHECK. REPAIR GIVING JOB. ATE 
ELSE "DEFER POST REPAIR TEST AT ATE. 

LET PRTY(JOB.ATE) = MAX. F(PRTY( JOB .ATE) , 2 ) 

LET RANK (JOB. ATE) = PRTY ( JOB . ATE ) + X 
FILE JOB. ATE IN Q2 "LIFO WITH PRTY 
ALWAYS 

ELSE "DO REPAIR AT REPAIR BENCH. 

FILE JOB. ATE IN Q3 "REPAIR AT A REPAIR BENCH 
SCHEDULE A Q3.MON NOW "INITIATE REPAIR IF POSSIBLE 
ALWAYS 
GO TO RETRN 

ELSE 

IP STATUS (JOB. ATE) = 3 "POST. REPAIR 
IF TM. POST. REP AIR (JOB. ATE )= 0 

LET TM. POST. REPAIR(JOB. ATE) = UNIFORM. F( .5,2 . ,7 ) * 60. 

ALWAYS 

WORK TM. POST. REPAIR( JOB. ATE) MINUTES 
CALL CHECK. REPAIR GIVING JOB. ATE 

always 

'RETRN' 

SCHEDULE A Q2.MON NOW ''INITIATE NEXT JOB IN Q2 
END 


VIH6 


ORIGINAL PAGE IS 
OF POOR QUALITY 


PROCESS TB "TEST BENCH (MANUAL) 

’ ' THIS PROCESS SIMULATES ALL WORK DONE AT THE MANUAL 
" TEST BENCH. 

IF STATUS ( JOB. TB) = 1 "PRE. REPAIR 

LET TM.PRE.REPAIR(JOB.TB) = UNIFORM .F( .8 ,16 . ,8 ) * 60. 

WORK TM.PRE.REPAIR(JOB.TB) MINUTES 

IP RANDOM. F(l) LE CHECK. PROB " FAULT CONFIRMED ? 

LET STATUS ( JOB. TB) = 2 "REPAIR 
ELSE 

SCHEDULE AN END. JOB GIVING JOB.TB NOW 
GO TO RETRN 
ALWAYS 
ALWAYS 

IF STATUS (JOB.TB) = 2 "REPAIR 

LET TM.REPAIR( JOB.TB) = UNIFORM.P( .5 ,4 . ,6 ) * 60. 

WORK TM. REPAIR (JOB.TB) MINUTES 
LET STATUS ( JOB. TB)= 3 "POST. REPAIR 
ALWAYS 

IP STATUS (JOB.TB) = 3 "POST. REPAIR 

LET TM.POST.REPAIR(JOB.TB) = UNIFORM . P( 2 . , 8 . , 9 ) * 60. 
WORK TM. POST. REPAIR( JOB.TB) MINUTES 
CALL CHECK. REPAIR GIVING JOB.TB 
ALWAYS 

' RETRN ' 

SCHEDULE A Ql.MON NOW "INITIATE NEXT JOB IN Q1 
END 


vn-17 


PROCESS RB ' ' REPAIR BENCH 

•' THIS PROCESS SIMULATES ALL WORK DONE AT THE REPAIR BENCH. 

WORK TM.REPAIR(JOB.RB) MINUTES 

LET STATUS ( JOB. RB) = 3 '' POST .REPAIR 

LET PRTY(JOB.RB) = MAX . F ( PRTY ( JOB . RB) , 2 ) 

FILE JOB.RB IN Q1 

SCHEDULE A Ql.MON NOW ’’INITIATE POST REPAIR TEST IF POSSIBLE 
SCHEDULE A Q3.MON NOW ’’INITIATE NEXT JOB IN Q3 
END 
E> 





ORIGINAL PAGE IS 
OF POOR QUALITY 

ROUa’INB TO CHECK. REPAIR GIVEN JOB. CHECK 

” THIS ROUTINE DETERMINES IF THE REPAIR WAS SUCESSFUL. 

' ' IP SO THE JOB IS TERMINATED. IF NOT SUCESSFUL, THE JOB 
'• IS ASSIGNED STATUS = 1 AND FILED IN Q1 . 

DEFINE JOB. CHECK AS AN INTEGER VARIABLE 

IF RANDOM. F(2) LE REPAIR. PROB " FAULT REPAIRED ? 

SCHEDULE AN END. JOB GIVING JOB. CHECK NOW ’'ACTIVATE JOB IF POSSIB 

LE 

ELSE 

CALL SET.PARM GIVING JOB. CHECK 
FILE JOB. CHECK IN Q1 

SCHEDULE A QX.MON NOW ' 'INITIATE JOB IF POSSIBLE 
ALWAYS 
END 


VIM9 


EVENT EOR Ql.MON 


• I 
» I 
I » 

• I 


THIS EVENT SCANS Q1 AND INITIATES AS MANY JOBS AS POSSIBLE, 
SENDING THEM TO EITHER AN ATE OR TB . ANY PRTY-3 JOBS 
REMAINING AT THE END OP THE SCAN ARE SENT TO THE INTERRUPT 
ROUTINE TO DETERMINE IP AN INTERRUPT IS POSSIBLE. 


IF SHIFT “ 0 ’ 'OVER 

RETURN 
ELSE 


FOR BACH JOB IN Ql WITH EQ.TYPE NE 2 ' 'NOT A TEST BENCH 

WHILE N.EV.S(I.ATE) LT NO. ATE ''ATE AVAILABLE 
DO 

REMOVE JOB FROM Ql 

ACTIVATE AN ATE GIVING JOB NOW 

LOOP 

FOR EACH TB IN TB. INTERRUPT 

WHILE N.EV.S(I.TB) LT NO.TB ''TEST BENCH AVAILABLE 
DO 

REMOVE TB FROM TB. INTERRUPT 
IP BETWEEN. V = 'TRACE' 

PRINT 1 LINE WITH CTIME AND NUMBER ( JOB .TB ) 

THUS 

JOB * RESUMED AT TB 

ALWAYS 
RESUME TB 
LOOP 

FOR EACH JOB IN 01 WITH EQ.TYPE NE 1 ''NOT ATE 

WHILE N.EV.S(I.TB) LT NO.TB ''TEST BENCH AVAILABLE 
DO 

REMOVE JOB PROM Ql 

ACTIVATE A TB GIVING JOB NOW 

LOOP 

FOR EACH JOB IN Ql WITH PRTY =3 '' INTERRUPT ACTIVE JOBS IF POSS 

IBLE 

CALL INTERRUPT GIVING JOB 


ORIGINAL 
OF POOR QUALITY 


ORIGINAL PAGE IS 
OF POOR QUALITY 

EVENT FOR Q2.MON 

•' THIS EVENT SCANS Q2 AND INITIATES AS MANY JOBS AS POSSIBLE. 
’’ IP ANY ATE S ARE AVAILABLE AT THE END, Ql.MON IS ACTIVATED 
TO SEARCH FOR QUEUED JOBS THERE. 


IF SHIFT - 0 ’ 'SHIFT OVER? 

RETURN 

ELSE 

FOR EACH ATE IN ATE . INTERRUPT 

WHILE N.EV.S(I .ATE) LT NO. ATE ''ATE AVAILABLE 
DO 

REMOVE ATE FROM ATE . INTERRUPT 
IF BETWEEN. V = 'TRACE' 

PRINT 1 LINE WITH CTIME AND NUMBER( JOB . ATE) 
THUS 

★_**.** JOB * RESUMED AT ATE 
ALWAYS 
RESUME ATE 
LOOP 

FOR EACH JOB IN Q2 

WHILE N.EV.Sd .ATE) LT NO. ATE ''ATE AVAILABLE 
DO 

REMOVE JOB FROM Q2 

ACTIVATE AN ATE GIVING JOB NOW 

LOOP 

IF N.EV.Sd .ATE) LT NO. ATE ''ATE AVAILABLE ? . 

SCHEDULE A Ql.MON NOW 
ALWAYS 
END 


Vli-21 



EVENT FOR Q3.MON 


’ ' THIS EVENT SCANS Q3 AND INITIATES AS MANY REPAIRS AT THE 
'' REPAIR BENCHES AS POSSIBLE. ANY PRTY=3 JOBS REMAINING 
' ' IN Q3 ARE SENT TO THE INTERRUPT ROUTINE TO DETERMINE IP 
" AN INTERRUPT IS POSSIBLE* 

IF SHIFT = 0 ’’SHIFT OVER ? 

RETURN 

ELSE 

FOR EACH RB IN RB. INTERRUPT 

WHILE N.EV.S(I.RB) LT NO.RB ’’REPAIR BENCH AVAILABLE ? 

DO 

REMOVE RB FROM RB. INTERRUPT 
IP BETWEEN. V = ’TRACE’ 

PRINT X LINE WITH CTIME AND NUMBER( JOB.RB) 

THUS 

*_*★.** JOB * RESUMED AT RB 
ALWAYS 
RESUME RB 
LOOP 

FOR EACH JOB IN Q3 

WHILE N.EV.S(I.RB) LT NO.RB ’’REPAIR BENCH AVAILABLE 
DO 

REMOVE JOB PROM Q3 

ACTIVATE A RB GIVING JOB NOW 

LOOP 

FOR EACH JOB IN Q3 WITH PRTY = 3 ’ ’INTERRUPT ACTIVE JOB IF POSSIBLE 

CALL RB. .INTERRUPT GIVING JOB 


original page ® 
OF POOR 


ROUTINE TO INTERRUPT GIVEN JOB.INT 

THIS ROUTINE SEARCHES THE ATB(S) AND TB<S) TO DETERMINE IF THE 
" GIVEN JOB MAY INTERRUPT AN ACTIVE JOB. IF AN INTERRUPT IS 
* * POSSIBLE THE ACTIVE PROCESS IS INTERRUPTED AND FILED IN THE 
INTERRUPT QUEUE. THE GIVEN JOB THEN ACTIVATES THE AVAILABLE 
' * ATE OR TB . 

DEFINE JOB.INT AS AN INTEGER VARIABLE 


IF E0,TYPE(JOB.INT) NE 2 * ’NOT A TEST BENCH 

FOR EACH ATE IN EV.S(I.ATE) WITH STA.A(ATE) - 1 " ACTIVE ATE(S) 

DO 

IF PRTY(JOB.ATE) LT 3 
INTERRUPT ATE 

IF TIME. A(JOB. ATE) GT Kl/1440. 

IF BETWEEN. V - ’TRACE* 

PRINT 1 LINE WITH CTIME, NUMBER( JOB . INT) AND NUMBER(JOB.AT 
E) 


THUS 

*_**.*• JOB NUMBER * INTERRUPTED JOB NUMBER 
ALWAYS 

LET TIME. A(JOB. ATE) - TIME. A(JOB -ATE) *1 .1 
LET PRTY(JOB.ATE) - 2 
FILE ATE IN ATE. INTERRUPT 
REMOVE JOB.INT FROM 01 
ACTIVATE AN ATE GIVING JOB.INT NOW 
RETURN 
ELSE 

RESUME ATE 
CYCLE 
ELSE 
LOOP 
ALWAYS 


IF EQ.TYPE(JOB.INT) NE 1 "NOT AN ATE 

FOR EACH TB IN EV.S(I.TB) WITH STA.A(TB) - 1 "ACTIVE TB(S) 

DO 

IF PRTY(JOB.TB) LT 3 
INTERRUPT TB 

IF TIME.A(JOB.TB) GT K2/1440. 

IF BETWEEN. V - 'TRACE' 

PRINT 1 LINE WITH CTIME, NUMBER( JOB . INT) AND NUMBER( JOB.TB 


) 


THUS 

*-**:** JOB NUMBER * INTERRUPTED JOB NUMBER 
ALWAYS 

LET TIME.A(JOB.TB) - TIME .ACJOB .TB) *1 .1 
LET PRTY(JOB,L / - 2 
PILE TB IN TB. INTERRUPT 
REMOVE JOB.INT FROM Ql 
ACTIVATE A TB GIVING JOB.INT NOW 
RETURN 
ELSE 

RESUME TB 
CYCLE 
ELSE 
LOOP 
ALWAYS 

END 


* 


O 








Vll-23 


ROUTINE FOR RB .. INTERRUPT GIVEN JOB..INT 

'• THIS ROUTINE ENTERS WITH A PRTY=3 JOB. A SEARCH OF ACTIVE 
' ' JOBS AT THE REPAIR BENCHES IS MADE TO LOCATE A JOB THAT MAY 
»' BE INTERRUPTED. IF AN INTERRUPT IS POSSIBLE, THE INTERRUPTED 
'• PROCESS IS PLACED IN THE INTERRUPT QUEUE AND THE NEW REPAIR IS 
'• ACTIVATED. 


DEFINE JOB..INT AS AN INTEGER VARIABLE 

FOR EACH RB IN EV.S(I.RB) WITH STA.A(RB) = 1 
DO 

IF PRTY(JOB.RB) LT 3 
IF BETWEEN. V - 'TRACE' 

PRINT 1 LINE WITH CTTME, NUMBER( JOB . . INT) AND NUMBER( JOB .RB) 
THUS 

*^A*.** JOB * INTERRUPTED JOB * AT REPAIR BENCH 
ALWAYS 

INTERRUPT RB 

LET TIME. A(JOB.RB) = TIME .A( JOB . RB ) *1 . 1 
LET PRTY(JOB.RB) = MAX . F ( PRTY , 2 ) 

FILE RB IN RB. INTERRUPT 
REMOVE JOB.. INT FROM Q3 
ACTIVATE A RB GIVING JOB.. INT NOW 
RETURN 
ELSE 
LOOP 

END 


ORIGINAL PAGE SS 
OF POOR QUALITY 


original PAG£ is 
OF POOR QUALITY 


EVENT TO END. JOB 

'• THIS EVENT COMPUTES JOB STATISTICS AND TERMINATES THE JOBS. 
LET JOB = JOB. END 

LET THRPT(TYPE) = (TIME .V-START .TIME ) *24 . ''HOURS 
LET MNHRS(TYPE) = (TM.PRE .REPAIR 

■f TM. REPAIR 

+ TM.POST.REPAIR)/60. ''HOURS 

DESTROY JOB 


END 


VII-25 


ORIGINAL PAGE IS 
OF POOR QUALITY 


PROCESS FOR SHIFT, CHANGE 

' ' THIS PROCESS SCHEDULES SHIFT CHANGES AND ALLOCATES OVERTIME 
' ' BASED ON THE END OF DAY BACKLOG. 

DEFINE DAY AS AN INTEGER VARIABLE 

UNTIL TIME.V GT END. TIME 
DO 

FOR DAY - 1 TO 7 
DO 

IF DAY LE 5 

GALL START. SHIFT 
WAIT 8 HOURS 

IP N.Ql GE 15 '* OVERTIME ALLOCATION 

SCHEDULE AN END. SHIFT IN 3 HOURS 
JUMP AHEAD 
ELSE IP N.Ql GE 10 

SCHEDULE AN END. SHI FT IN 2 HOURS 
JUMP AHEAD 
ELSE IF N.Ql GE 5 

SCHEDULE AN END. SHIFT IN 1 HOUR 
JUMP AHEAD 
ELSE 

SCHEDULE AN END. SHI FT NOW 
HERE 


WAIT 16 HOURS 
ELSE 

WAIT 24 HOURS 
ALWAYS 

LOOP ''DAILY 
LOOP ' 'WEEKLY 


ORIGINAL PAGE IS 

OF POOR QUALITY 


ROUTINE TO START. SHIFT 

' ' THIS ROUTINE INITIATES JOBS AT THE BEGINING OF THE SHIFT, 

LET SHIFT = X 
SCHEDULE A Ql.MON NOW 
SCHEDULE A Q2.MON NOW 
SCHEDULE A Q3.MON NOW 
END 


VII-27 


ORIGINAL PAGE IS 
OF POOR QUALITY 


EVENT TO END. SHIFT 

»' THIS EVENT INTERRUPTS ACTIVE JOBS AT SHIFT END. 
” ARE FILED IN THE INTERRUPT QUEUES. OVERTIME IS 
• ' FOR JOBS NEAR COMPLETION. 


LET SHIFT - 0 

FOR EACH ATE IN EV.S(I.ATE) WITH STA.A(ATE) = 1 
DO 

INTERRUPT ATE 
IP TIME.A(ATE) LT K3/1440. 

RESUME ATE 
CYCLE 
ELSE 

LET TIME.A(ATE) = TIME .A(ATE) *1 .X 

FILE ATE IN ATE . INTERRUPT 

LOOP 

FOR EACH RB IN EV.S(I.RB) WITH STA.A(RB) - 1 
DO 

INTERRUPT RB 

IF TIME.A(RB) LT K3/1440. 

RESUME RB 
CYCLE 
ELSE 

LET TIME.A(RB) = TIME . A( RB ) *1 . X 

PILE RB IN RB. INTERRUPT 

LOOP 

FOR EACH TB IN EV.S(I.TB) WITH STA.A(TB) ~ X 
DO 

INTERRUPT TB 

IP TIME.A(TB) LT K3/X440. 

RESUME TB 
CYCLE 
ELSE 

LET TIMB.A(TB) = TIME . A(TB) *X . X 

PILE TB IN TB. INTERRUPT 

LOOP 

END 


THESE PROCESSES 
ALLOCATED 


VIl-28 


ORIGINAL RAGE IS 
OF POOR QUALITY 


EVRNT ROR SIM. END 

PRINT 1 LINE WITH CTIME AND NO. ARRIVALS THUS 
SIMULATION ENDED AT *^*>:** NO. JOBS » 
CALL RP.THRPT 
CALL RP.MNHRS 
STOP 
END 


ORIGINAL PAGE IS 
OF POOR QUALITY 


ROUTINF. FOR RP.THRPT 

DEFINE I,IHR AND MXHR AS INTEGER VARIABLES 
START NEW PAGE 

BEGIN REPORT PRINTING FOR 1 ~ 1 TO 18 IN GROUPS OF 9 


BEGIN HEADING 
SKIP 2 LINES 

PRINT 3 LINES WITH A GROUP OF I FIELDS THUS 
HISTOGRAM OF THROUGHPUT TIMES BY COMPONENT TYPE 
COMPONENT TYPE * * * * * * 

hours 

END '‘HEADING 


LET MXHR = 0 
FOR EACH STATISTIC 

LET -IKHR = MAX.F(MXHR,MX.THRPT) 

FOR IHR 1 TO MIN.F(MXHR/4 ,25) BY 1 

PRINT 1 LINE WITH IHR* 4 AND A GROUP OF HS.THRPT(I ,IHR) FIELDS THUS 
* * ** ****** 

PRINT 1 LINE THUS 


PRINT 1 LINS WITH A GROUP OF AV.THRPT(I) 
AVERAGE ‘ * .* *.* *,* *.* 

PRINT 1 LINE WITH A GROUP OF VA.THRPT(I) 
VARIANCE *.* *.* *.* *.* 

PRINT 1 LINE WITH A GROUP OF MX.THRPT(I) 
MAXIMUM *.* * ,* * .* *.* 

PRINT 1 LINE WITH A GROUP OF NO.THRPT(I) 
NUMBER * * * * 

END ' * REPORT 
END 


FIELDS THUS 

* ^ ;■< * , * * 

FIELDS THUS 

* * * * * 

• • 

FIELDS THUS 

* * * * * 

• • 

FIELDS THUS 

★ * 


* 

* 

* 

* 


* * 

■ 

* * 

» 




* * 


t 

•k k 


* 



VU-30 



ORIGINAL PAGE IS 
OF POOR QUALITY 


ROUTINE FOR RP.MNHRS 


DEFINE I,IHR AND MXHR AS INTEGER VARIABLES 


START NEW PAGE 

BEGIN REPORT PRINTING FOR 1=1 TO 18 IN GROUPS OF 9 


BEGIN HEADING 
SKIP 2 LINES 

PRINT 3 LINES WITH A GROUP OF I FIELDS THUS 
HISTOGRAM OF MANHOURS BY COMPONENT TYPE 
COMPONENT TYPE ***** 

HOURS 

END "HEADING 


LET MXHR = 0 
FOR EACH STATISTIC 

LET MXHR = MAX,F(MXHR,MX.MNHRS) 

FOR IHR = 1 TO MIN.F(MXHR/2,25) BY 1 

PRINT 1 LINE WITH IHR*2 AND A GROUP OP HS. MNHRS( I , IHR) FIELDS THU 
* ******** 

PRINT 1 LINE THUS 


PRINT 1 LINE WITH A GROUP OF AV.MNHRS(l) FIELDS THUS 
AVERAGE *.* *.* *.* *.* *.* *.* *.* *.* 

PRINT 1 LINE WITH A GROUP OF VA.MNHRS(I) FIELDS THUG 
VARIANCE *.* *.* *.* *.* *.* *.* *.* *.* 

PRINT 1 LINE WITH A GROUP OF MX.MNHRS(I) FIELDS THUS 
MAXIMUM *.* *.* *.* *.* *.* *.* *.* *.* 

PRINT 1 LINE WITH A GROUP OP NO.MNHRS(I) FIELDS THUS 
NUMBER * * * * * * * * 

END ’ ' REPORT 
END 


* * 
★ ★ 
* * 


* 




VII-31 


* w 


ORIGINAL PAGE IS 
OF POOR QUALITY 

ROUTINE TO TRACE 

IF EVENT. V = I. ARRIVAL 

PRINT 1 LINE WITH GTIME AND NO . ARRlVALS+1 THUS 
*_★*.** ppQCBSS ARRIVAL NO * 

RETURN 

ELSE IF EVENT. V - I .SHIFT. CHANGE 
PRINT 1 LINE WITH CTIME 
AND M0D.F(SHIFT+1,2) THUS 
*_*★.** process SHIFT. change, SHIFT = * 

RETURN 

ELSE IF EVENT. V = I. ATE 

PRINT 1 LINE WITH CTIME, NUMBER( JOB . ATE) AND STATUS{ JOB . ATE) THUS 
*_**.★* process ate FOR JOB * STATUS * 

RETURN 

ELSE IF EVENT. V = I.RB 

PRINT 1 LINE WITH CTIME, NUMBER( JOB . RB ) AND STATUS ( JOB .RB) THUS 
*>**.#* process RB FOR JOB * STATUS * 

RETURN 

ELSE IF EVENT. V = I.TB 

PRINT 1 LINE WITH CTIME, NUMBER( JOB .TB) AND STATUS ( JOB. TB) THUS 
*_**.*★ PROCESS TB FOR JOB * STATUS * 

RETURN 

ELSE IF EVENT. V = I.Ql.MON 
PRINT 1 LINE WITH CTIME THUS 
*_**.** event Ql.MON 
RETURN 

ELSE IP EVENT. V = I. 02. MON 
PRINT 1 LINE WITH CTIME THUS 
*_i»r*.** EVENT 02. MON 
RETURN 

ELSE IF EVENT. V = I.Q3.MON 
PRINT 1 LINE WITH CTIME THUS 
*_*★.** EVENT 03. MON 
RETURN 

ELSE IF EVENT. V = I. END. JOB 

PRINT 1 LINE WITH CTIME AND NUMBER( JOB .END) THUS 
*_**.★* event END. job FOR JOB * 

RETURN 

ELSE IP event. V = I. END. SHI FT 
PRINT 1 LINE WITH CTIME THUS 

*_*★.** event end. shift 

RETURN 

ELSE IF EVENT. V = I. STM. END 
PRINT 1 LINE WITH CTIME THUS 
*_**.** event STM. end 
RETURN 


Vn-32 


ORIGINAL PAGE IS 
OF POOR QUALITY 


ROUTINR TO PRINT. JOB 

PRINT 4 LINES WITH NUMBER, TYPE, BQ.TYPE, PRTY, RANK, 
TM.PRE. REPAIR, TM. REPAIR, TM .POST . REPAIR, 

AND STATUS THUS 
JOB 

NUMBER * TYPE * EQ.TYPE * PRTY * RANK * 
TM.PRE. REPAIR *.*★* TM. REPAIR * .*** TM .POST .REPAIR 
STATUS * 

END 


* ★** 


APPENDIX VIII 


REPLICATED SYSTEM COMPONENT REMOVALS 
REPLICATED SYSTEM CMPONENT REMOVALS INTRODUCTION 


In this appendix, a simplified fault-tolerant computer is considered, consisting of 
several different stages in series, each stage having replicated components in parallel. 
The prediction of line and shop maintenance cost depends on the ability to determine 
the removal rate of the LRU and components within the LRU. The simplified fault- 
tolerant multiprocessor (FTMP) has the following component characteristics: 


Nineplex 

o Central Processors 
o Memories 
0 I/O Ports 
0 Clocks 


MTBF (Each), Hours 

20,000 

20,000 

30,000 

30,000 


To dispatch the airplane, there must be no more than one failure in any nineplex. Two 
or more failures in any nineplex will entail removal and repair of the entire FTMP, 

Two analytical solutions for the removal rate of the LRU are provided below: a 
general solution to the removal rate of the components and a simulation program that 
provides removal rate of the LRU and component stages. The SIMSCRIPT simulation 
provides results in close agreement with the analytical solutions and represents a short 
programming task compared with work required for the analytical solutions. Simula- 
tion of 22 million operating hours costs approximately $10. 

Dispatch with No More Than One Failure per Nineplex 

The FTMP dispatch success rate is the existence of no more than one failure in any of 
the four modules. In the (i)th nineplex, 1 (i) ^ 4, the probability of success is given 

by; 

(1) R (t) = P(0 failures) + P(1 failure) 

= P(9 successes) + P(8 successes) 

= (exp(-a(i).t))**9 + 9Uxp(-a(i) .t))'^*8 
(1 - exp(-a(i).t)) 

where a(i) = 1/M(i) = failure rate of each of the 9 subunits 
Simplifying, 

(2) R(i) = -3 exp(-9a(i).t) + 9 exp(-8a(i).t) 

In this case, 

a(l) = a(3) = 1/20,000 failures/hour 
a(2) = a(4) = 1/30,000 failures/hour 
Therefore, 

R(FTMP)= {R(1)*’*2).(R(2)*’*2) 

= (-8 exp(-9a(l).t) + 9 exp (-8a(l) .t) )*^2) 

. (-8 exp(-9aU).t) + 9 exp (-8a(2) .t) )**2) , where 


VIII-l 


2 

(•6) R(FTIV1P)= TT 64 exp(-18a(i).t) - 144 exp (-17a(i).t) 
i=l + 81 exp (-16a(i).t)) 

To obtain the FTMP's mean time to removal, 

(4) MTTR<FTMP) == CR(FTMP) dt 


Expanding equation (3) and integrating term-by-term, vye obtain 

(5) MTTR(FT1V1P)= 4096 - 9216 + 5184 

18(a(l) + a(27 18a(l) + 17a(2) 18a(l) + 16a(2) 

9216 + 20,736 - 11,664 

17a(l) + 18^27 17(a(l) + aiT)! 17a(l) + 16a(2r 

5184 - 11,664 + 6561 

16a<l) + 18a(2) 16a(l) + 17a(2) I6(a(l) + a(2)X 

In the case under analysis, 

a - 1/20,000 = 5 X 10**(-5) failures/hr 

a - 1/30,000 = 3.333 x 10**(-5) failures/hr 

Substituting in (5), 

MTTR = 2259 hours j removal rate/1000 hours = 1000/2259 
w 0.443 

R(FTMP) was programmed on the Tl/59. The program listing and user instructions are 
provided in Figure 4. 

As verification, R(FTMP) was tabulated and integrated via the trapezoidal Simpsoji's 
Rule (see fig. 1), obtaining an approximate result of 2255 hours, which agrees 
beautifully with the exact analytical result of 2259 hours. 

If only the offending nineplex were removed rather than the entire FTMP; what would 
this do to overall removal rate? Integrating equation (2) from 0 to ‘nfinity, 

(6) MTTR = -8 + 9 = -8M(i) + 9M(i) 

9a(i) 8a(i) 98 

where M(i) are the MTBF's for component type (i). 

If M(l) = 30,000 = M(3), then MTTR(l) = MTTR(3) = 7083 hours 

If M(2) - 20,000 = M(4), then MTTR(2) = MTTR(4) = 4722 hours 

To depict the difference that results from removing the entire FTMP, compare the 
expected number of removals per 1000 hours. 


# * 


O 


i 


O 






Cl 




VIIl-2 


Homoval Level 


Remo v als/ 1000 Hours 


Entire FTIVIP 


0.443 


Central Proc.’s 
Memories 
I/O Ports 
Clocks 


0.212 

0.212 

0.141 

0.141 


TOTAL 


0.706 


Removing at tht; nineplex level would entail 61 percent more airplane removal actions 
than at the FTMP level. 

Dispatch with No More Than Two Failures per Nineplex 

1C the FTMP dispatch success state is relaxed to permit a maximum of two failures per 
nineplex, what is the expected improvement in MTTH? Employing the same notation 
as before, for each nineplex 

(7) R(i) = P(9 successes) + P(8 successes) + P(7 successes) 

= (exp(-Oa(i).t)) + 9(exp(-9a(i).t)) (I - oxp(-a(i).t)) 

+ 36(exp(-7a(i) .t)) (1 - exp(-a(i).t))**2 
- 28 exp(-9a(i) .t) - 63 exp(-8a(i) ,t) + 36 exp(-7a(i) .t) 

Simplifying, 

(8) R(i) = 784 exp(-18a(i).t) - 3528 exp(-17a(i).t) 

+ 5985 exp(-16a(i).t) - 4536 exp(-15a(i) .t) 

+ 1296 exp(-14a(i),t), 1 < i 2 


The complete formula, of course, is yielded by (R(i))**2 
and is shown in Figure 3. 

The removal rate per nineplex is determined by integrating equation (7): 

MTTR(i) - C (28 exp(-9a(i).t) - 63 exp(-8a(i) .t) + 

36 exp(-7a(i).t)dt 

_ 28 - 63 + 36 

" WiT OTT TaDT 

= l/a(i) (0.379) = 0.379M(i) 

where M(l)= 30,000 hours, MTTR(l) - u,370 hours 
M(2)= 20,000 hours, MTTR(2) - 7580 hours 

As before, the expected number of removals per 1000 hours will be compared. 


Vlll-3 


Removal Level 


Removals/lOQO Hours 


Entire FTMP 


0.230 


Central Proc.'s 0.132 

Memories 0.132 

I/O Ports 0.088 

Clocks 0.088 


TOTAL 


0.440 


In this case, removal at the nincplex level would require 91 percent more removal 
actions than at the highest (FTMP) level. The TI/59 computer program for R(FTMP) in 
tills case is given In Figure 5. 

A NOTE ON ANALYSIS METHODS 

In general, combinatorial reliability problems, such as the subject "k out of n" system, 
become forbiddingly complex if exact solutions are sought for MTBR. Furthermore, 
the calculations ordinarily involve small differepces between very large numbers and 
erroneous results may occur due to computer (or calculator) truncation errors. As 
demonstrated here, Simpson's Rule integration of the reliability function is quite 
accurate for MTBF or MTTR determination. Furthermore, if any or all of the failure 
rates are time varying, exact integrations are obtainable only via the greatest 
analytical power, whereas the Simpson's Rule approach offers no inherent difficulties. 

SUMMARY 

A simplified FTMP was analyzed here for two dispatch rules. 

A. Dispatch if no more than one failure in any nineplex; repair with two or 
more failures in any nineplex. 

B. Dispatch if no more than two failures in any nineplex, repair if three or 
more failures in any nineplex. 

The results for each case are repeated below. 


VIII-^J 


ORIGINAL PAGE IS 
OF POOR QUALITY 


KEPAIH 

LEVEL 


KEMOVAL KATES 
A 

Repair if 2 or 
More Failures in 
Any Nineplex 


PER 1000 HOURS 
B 

Repair if 3 or 
More Failures in 
Any Nineplex 


prMp 


0.443 


0.230 


NINEPLEX 



Central Proc.'s 

,2ia 

.132 

.Memories 

.212 

.132 

I/O Ports 

.141 

.088 

Clocks 

. 141 

.08B 


TOTAL 


0.706 


0.440 




ORIGINAL PAGE IS 
OF POOR QUALITY 






fiCunf J 


F\Ci,oa<L 2 . 


/*„.»(«)= f<i ft) 

• x,nx,$t3 g"^”*'*'**'’)* • Ji, iir, on 0 *^"^>* ^ * '«.‘ 0 ,oii» e*^” 

• 4 ) 4 «,J«. e*^‘ v.»«j „r 0 -'^>-'«t , ^ *g t ^ t 

• i.mjin l^^n- ut a-“t>wtAOt . 

-n.<« WU. t- 0 , 7 ,kkM, , 4 ,„J srt Wa X^^lj. 

T* -t*t**, r>«.M w»«.i » /}tj07t,iai 4 ^ 

X "*><hrt 4*V«il o-IJo,*»ljl20 
Z 4 *^ « / 


» ^ 5ww ifr 44 ^•*tC<«v%4i, 


A<TTf? •- 


^ JO fit a ^iiixi-- ».X 0 i 9 iv _£ 

/lOcT-M) 




l,lTSji/i 


W 

l4 ')»«'• * fy/*'*" ^hUtfi/htni> I »bfs,rtj 

/v»7rfi a ^L*i hoaoi R.kZ/o.. r .a> 


N(X »>0 



VIII -6 


ORIGINAL PAGE IS 
OF POOR QUALITY 



« M 

Ohit ITK 

i5 r« ^ 

Ml * 

OOiM 
• ♦ -* 


Q MY P* CY O 

Sw»*r*>a 

*** § f ** 

» 2 C> 

o •. ., 


C'J f r o 

^ *2 T 
OTIWY 
O »^l» 

ooo 


U>$ 

O tCt 

• o • 


|i;kvS 

3 ^ « it »« O 
t*lOl >tf»IVN 

oAun 

C>iS >0 


ilHs 




o Cl in 
0*4 PI 
MIN. Y> 

*^oo 

r>» 4 » 
"* * 4 J 

ml • 

d'=’ 


S}S 

y\m 

in 


O TO^O 
mmNinin 
NAlMOOr' 

•-•MYMtUM 

0 >MM> 

NCI*- 

MY09#i 

* I » 


)bY«^«aO 
> 4 i p 

iMOPI 

MY 

^ 

mr CO 
• Nu> 

O » I 



I ^ O 


»i. 


•Y 


i .'V M %d * 

•m N <h> •• 

(T> 

t»i *n 

^ ^ 

»» 

« . • t 

ooo 


» ir M ^ » 

fiiil 

O 

«ir rY *• 

W .N 
• O • 


• Cl V ml . 

o *«» in N o 


• mlMpm O 

ooo - 


*f •^•*> 
Ni>*^ 

Ch ^ ifi 
iTi j\»!P 


. O P* o • 

S JHrwMYQ 
CltP^NO 
*YO^ — 
NMYN 

^l %0 

N 

iPvdH^ 


»n*Hiyv 
f MY Cl 

•• 

• o » 


t Ov I my 


OmUOO 
0 *t«M uO 


Ml Cl 

MY 

CO 


0«0 
uoc 
Cl uC 
O M 
Uul 
•# O 
t *»» 
OOt. 

O 4 



O&^N 
•t f* iO 
0 «'l Ml 


t Ml k> • 

OfYlWf^C* 
VY •vOCIMl 

r 

f *t ^ 

tf 

O C 
OSMYOl 
vO OY O 

• • « 


4 Cl P* Pi ^ 

o»or**op 

5 Ol I • MY O 

iii.r.fis 

^>1 »*i» 
OM i> 

1 *^ 1 % .y. 
«>•(.? 


S=s?:§ 

»4 MY *N ^ 
OMYO 
-» 0)«0 
••Mill 

.croi 

o • • 


• * 0 ' 4 >CU « 

oco j> *t o 
M1MC1»0MY 
C|P*i l MY«>I 

f* IM O 

MlMY»r 
01 oo 

MO MY 


9 9 

« s 

<« > 
e> « 
r^ I" 
.. .» 


M 

3 

«. 

« 

J 






^ ^ ■ iisj - . *-wJi<^ _|.r ( jT ► .jii. a.^a 

bwOM-x^lOOll S = X^i»xill30U0ilik;U0>\w0llu.v0H .tte. wo 0 .iU.wO <t XA {^,u^^^^O>-<K 

a; at u>iK ikiK w<^iK a.<satwv>.j 

in tn t'l kt •« >4 ii'> in N V t'l iV) r> o »« in V in tn •*) a< vt «n >r .^ I n .* bi a' .y. t'4 b> k > .y a> <v» vvii o> w ' a » .vj n >• >« 

ovowooll'Mraa>auNl^t.«oo(^*a«oa.lyt▼o>l>«o.^at▼o.y.•na>no4>v)^y.TO.y>4<a>a^t'••■ro.d•• 


S 


3 

w 

X 


4 

<2 


ln>4N>B^^a'<^l<n•rll>>4vo<^O'-M>n«in.it^0O.^o>«N>nn'tf)al•Ol^o><'kh'^»rkV>ar o>^o•-•k^m>rv1<4 

tPi 0 > Ov CP O O O O O O O O O O M «• M M vm M M <M 04 04 01 CV| 0 | Oj M C 4 OJ M 01 » Y M M M M 01 01 M ^ *f 'V ♦ mr *T ^ 



•-0IM MY»CN O -i 04M «rm*DN0ft^O ^OiOl Y MY«i> N 0^ O 01 M «f MY <0 NO iP O «*« 01 M *0 

MY MY my MY MY MY MY MY MY *0 *0 Skl *0 ml ^ N N N N N 0* P« f « r« f« O CO O O O O *11 O O O (It iT* (Xi 

OOOOOOOQOOOOOOOOCOOOOOOQOOOOOOOOOOOOOOOOOOOO 


J 


t 

< 

m 

>• 

« 

< 

(V 


5 


*j wv*! mi*- I >;t w I > it 4 S.T— _i 

aixuo i< i‘ uo *1 Nsz K >a V 4 y»auo X ••f^ i> uo II z=t->nnH souoa«>4iu 

w * * ■*■ — j w> ac at ♦ — _j t v< ik- \; 

a in~«in(n^in.* iMnin w sMM .y nMin •-•rvit.ktn >«ii') T <>it»vi •> n .rkm ■» n«nii« 

N-.»owoom»oa»iyMMCgwooo*ro»owooio»oaia>»'u'i.*)oooy'a. .fO»o>eoov>T 

a «<'»»2 i*!3»ar;.§^Q -.<»l»n n irt'Orvasa\o — inm T iT(‘ay.wa>o ki<ay. <oa»o — oirt’y kt.u 

ooooooopoooaoooa 0000000000000000000000000000 ooo 


•• ri 

ai ® 

oe 

.a 3 

f 


a 


e 

i 

L 

4 J 

ti 

I 


VIIl-7 




original page is 

OF POOR QUALITY 



k. r 



^. 6 ^, 


k'« O 
SDtn'* 

«r» •• 
N * •» 
• • • 





Ml'iMO 

I.nK«« 

r;?r 

Rn5 





I Kt 

rf«? 


• mSN . 


kio»Hig 


S^mm vS 

3 VUIMO 

)i 7 l««kO 


l)MO 



Rd»M 


^OPN 


wmr> 

KO>«9l 

9>*9i 
• O * 



• »M «r N 
iori<h«» 

»« l^ jk i» 

^^N^• 

4i> 


9 

O M •» C 

R 

3^*2 1^1 2 
SOk^d^il 







o i>Ct *r o 
o |S| A •» o 

«S31 

ooo> 

t••'><<^ 

•FiiJ.N 



►•no -ik^ jk t u(_i, _a«'iB _ 

uai:ouav:ik.i/>ott<JO<(wONkoo^A>,auk>Ok>ix 
ptV>ACk,,^a' i)( Ik 

tfk Ck ♦ 9W>) ff» » Iti N Q M M ¥» k') « t Irt |»I i'^ M ». Ij# ^ .ft k^ HI f J « I- 1 
ipor>ONOiniriiFio«**o>A«CMMii«oin 9 >«>N»«o<i>Mi 

M (V| Ht V in IH N B IFI O •• HI 0>l « 10 >P N OB iFl O M M <<) « IF) ‘p N i>> |F> 
'VVW'VTV'r'rkTkTIOkTIOIOlOk*! k> kl 'il *P ><> H> *P M> A m 'll 'p 


f 


It 

k 


r 

-. * 

^ -S^ 

2 S' 

i 5 


1 ••T ^ 

■* 3 I 

5 « * 

* A 3 

A O A 

^ if s 

^ ^ m 
r w 1 

4i; » « 


V) 

Ii; 

>» 

JT 

1^ 


• 9 » »j<vk 

COUO X 


»i O ^ < > X 

uOkVjxX' 


*.* J a cd j *» . V u 

M ^OwOi iuo 
♦ uV AC <)I 


.. ^ o I > a 

X ( UO « ’« sx X H t »0 

J wrt 

f>i<A 
-Q 


' — — k -r kff ■» vr I* • M ^ 

S5S!2SS8f3SS5S?|?3!23SS;^585^S5S?S!?SSS3KR§SJf:jJ32SSS‘iSSJg 

So'2oo222222i222s52l3-5s3SS^*^^'"^‘*^'**^‘'*^”^'^”^‘*”*«° 


_in >o I I e<o^xt*<f<^n »o is:: oiM_io» 

UOi<»N i'UQH VXSXHIIOPICkV lll-0UOEOUO.<-«'P i <JOk SS'.ikTifloaiOMk-OuO 

AC Ik k ko ^ k Ul 0 >0 >V Ik k P> ^ >0 0 

m H) kl k. kl <0 O kT >r I'-l l<> VI ikl HI a « 10 N 0 H) « T Ik' I'B >0 kt •• Ip kl CO O VI f HI H> k') W) ir> I» kT k> r I >a m B 

VO<POOIOr>Oi7>>klMl‘>l<POOOC* '0>>rCVONO>fOipOO|ONO<Mk>(>ll'ii>POOOOi7>>rO«0 

r>i»^o xHivo •kko>pr»ii>mo»(>‘lro >riOipk.iacAO>k>'i>'o t io>pn •>•lltcof'lO>PN•»>^o mHico 

^ V >r k> 10 kO ko kO kO ko ko lO lO Ip * 0 10 Ip Ip Ip Ip Ip Ip P ^ C« I-- N Co k- k« w k- fi- OB >P B lO lO lO iS iM HI CO Ik) i 7 i iTv iki 

oooQoooooooooooooooooooooQOoooooooooaoooooooooo 


c^0M2So28gS5Sd8S^0dSx-«.k^S 

w) u 1 V) M> Ak ^ aC ^ 


I ‘.i:; 0 ^«i 0 O'Ti-JCa .*^ 

k visxr-Mfk itO-jo k « h t-ooOEO 

^ M ^ U t CiC i/> UC VI 


w) W 1 VI v» * Ai ^ — o. — 

28i;!§§‘;*S5V3Ji'S5S2ieia$S^i3588f'3g83:'{8i‘2&831i':W2^^^^^ 

§^oS 5 Q'-sooa 2— 22 222 — 22 ®cokifi?i 8 ’i'ik’i*kiSi^H'coioS'i^MMrt 2?^^52 52 

ooooooSooQSooSSoSSoooooooodoooooooooooooooooooo 


vm-8 


ORIGINAL PAGE IS 
OF POOR QUALITY 


SiAol-r 


dfoc^ > /""tirMc’r rCi'w.''- O'h sysitni MTIjF ana/ 


(/ 


Co>>^pOM%i rcpafY rak 


o 

j i 


tt/e 0 ,yH (k S/Sk^^>^jkoi/i^orUU^ COkSich ‘ 

of k ,(iA(i(ip(^'/iO'Cnl suhi/S'k94S‘ comecJed in scrfes. 

Tka cukysk^t^ AS a'n My ouf (*( of cowpo'h^Ak 

of l/pe 'C f(te suhs/slo^ opP-^o^le? a//w as My 
of Us /// coii'foncmy opsyok, PlacL coiMfOi^piM A SuLysr:*;'^. 
A opPraks At^c/epeuc/e'hin^ (yi'lk doviSkVy^ foiMuy^ 'yoIo . 

Dt O'fC XukyeMecI /m HtS AAiean iPmP hehypt'^ l<xiU'*e% 
MTBF^ or tCf UC\joJf^1{ily IIaG SKp6C(sd of (kt OV^yOil/ 

S/shm Ue Ckye oho Aukeyeshc/ 4(4 kd (impede J ■kixm^py' 
oj Co'^Apo'^emh !^(k\- /noeJ rPpMceMn^^ oy repac-r 
(yk^M s^sk'^ oy LRii ^\ch. ]}enuh'Vi^ Mis exfCch’J 
kuvHh^i l>^ £ M[t) 0)6 aye qUb fo coii^pule f/tfi 
id^to run OiVByajB Muml^Pr of Conpouonks repkcBol 
pBr %v\i( (ACUT)j MQUiefy £ M[t) / tiT^f , 

Jfr^B ‘>ioh.^ Mb i‘/f of fiit wP'i (xlh/sknM 

a^d Me Q^psckd vo^kt oj, 

ocjutrci/oiilfy Mp / 1 TBF as 


Xj”!. ^k“S. A- 



(-1) 




« AiBf.li.-xz^-riS-eii; 

Jlr' ■ ■■ ‘ ‘ 


A.^'1 

r/p dPyi'vixlfor of foy w'txUli) ot1l loe J'oun J yu A\ddehdotr\ A^" 


-Vi = 6 



ITY 


VIII -9 


ORIGINAL 

OF POOR QUAUTV 


a? 


J/ M(T) d6^ok^ 0 / Compone^is r^a/ 

Onr fytp^xCr a/ /o/a/ S/shy^ 

f(Xi/fuyS ’thsm 



Tli^ o/cyivahon^i tj, foryu'uU (2J &jill ht j^oaud A'^h 


fyo^M [i)oMcl[2-) ht CCLM /'liBu co^pule H\e. ACIAT^ 
UlcIa dS ol^ fiueo/ Qf £ Alirj/piTBF. Uo opera^o^iQ/ 
AAt^ayu'u^ of. -Hu's olBl^'HClio'i4 6x plcu'yie^d aia olelad 

2. Rou^l^y E M[r)/MTBF r^pr^J'^'uh 
Uv6y(xjB /Hu'iubsy ol. CO'M fiouC'hh (o kt 7&joloicecl 
ppy 'Kva'I h'n\t ^'1 AApoy^ ^Oick facluyf of <7 a's 

rtfyi6i*^Bcl (all kaJ Co'^po^^'nis (xye nrepleKCBd) tX^Ac! lot 
ikis ytyieiAOi! protess o^dr a hu^ pBrcod 

kme. 

Tie ^HouciA^ HtAUAdrC cahHifu/h aye dPri'yed x'u 

Afpewoh'x C, 

Toy k^i ^ (x\aJ L^-Lif-s^lo'-^ DB Ijja^i 

(X'A LRU co'M^ pri'J'pd oj, fouy SuksysfeTi^s lu Sdn'e^j 
x\e. fl^t s/sk^ Aj opey Oiii'ou a! suly all jouy St^k^ykcvAS 


VIIMO 



OHJaiNAl mciE 0 
OP POOR QUALITY 


(Xy^ Of>€i aii‘o%al [k--i) , CunipoMH-ih Xia suks/s/e^^ 

^ 0M.J l liAve ^(uiuy6 nrdfd ^< 11 » io“^//touy auJ 
/tw Subs/s/CTtis 2 (X^J 9 liM j(X.il\Ayi yafQ S f- / koixi , 

Tkt fo//o(*>t'u^ axo^'UAjfks ko<y^ 0 ^ pohB'hU iH^)^ 

QUij 'l^ecessay/ for ppe^raf tout (hi) 

Ja'me for all fouy ^ Q)(aU'\,pk i &H four 

SyslO'ms ^ of d suloSysk'ms > ikalX> Sa^ksubsys!^'^ 
Co'^pTL'SecI f Mcut Xuoleyeuoldnl parU^ QC^l\r of (pkcd 
MuSl looyk foy ike J’ubs/fleui h uxork. 

»■ 

fouy yuhs/siews 

Li-»Li~ !o'^ /kouy 1 faduft 

’^'5' X lo’^ f kouY J fa/sf 

^XQUxple i. ' 3 B(xcl\ J’ufcj/i/p'H. TT COiMprt'sec/ of 3 CouApouifi/ilr 

E(yck jubsyfh'in operahs if ^ Compos euh idork 

MT&F - IXs'S,^ hurs 
£ HiD-l U • 

ACl^r ^ IXi^dO'^/liOuy (wera^e k 

io lo£ repaired per u^d h'uie, 


uiMioer of Couipon^ulf 


VIIM 1 



ORIGINAL PAGE IS 
OF POOR QUALITY 


fKaiMpk i- Mj!-=S 

hTHF - IFO.i hours 

B nlrj = i 

ACt*T - 1.33! s/O'y hour 
Exau^filfS, Mi,'-? 

MTbr-r i^3lj kows 

E Mit) - i'i 7 

ACUT r l,ni*W^/hi)uv 

fxatwp/e y. A/-7 A/v-7 

--<PS-7,s- kours 
E M[V = i 

ACI3T- UU'‘ lo~'^/lour 


vin -12 


OWCflVAL 

Of POOR qSaut? 


/ikii'iiolim I 


lei XtiJtjo^Hc/eHi' C^poPieiAh'a/ 


nrayido-hi variables uiClk 

lei « 




auJ M^[il^ ^ Ir<o ^.n = %iiOfnber cf lailuyes Xu fh 

h’M£ i:. 


7/(u.? jlXiluye Z/’/nfi t/ X^^ smksyslem QkCtk 

openroifes as' /cn^ c\s oj Xls /V^ C0'hpoi\P%h opsrale, 

MeM Pf 5 }>tj=Pf^xW<^J = 

(j*i[l-ex|»(-L;, 0 ]^ fiX|»[-UKN/-p] 

J 

■-|:Z(?)(i)w’«»r[Li«i<ir*)] (A<J 

^=0 'u.ro 0 ‘ 

lle^l miyooluce r= jaclu-^e <rf lit 

k Mhsyskn^s C(my\Gcieo/ Xyi se-rces. 


VIII -13 



ORIGINAL PAGE IS 
OF POOR QUALITY 


ET^f P[m)iJi 
0 

{At] 

0 i-i 

HiB EXp'rBSSi'ons (Ai) Mo (A^) 

OuJ /Hiuikpl^iu^ oul Jis J'MS lollocoBol 
Oui ikB ixpoyenh'a/ fBrnts 

ET-. 

^.Xl WWI XI rLAN^.urj, I ^ 

k k 

Mi lei Ir^ 

■=r 'Tiun^bcr joidufes /h H\B hicki bjA i. 

M[t)^ OiUMhr ojl faduYes -{> (h hU/ ^psky^ al ike 
Ti^yiJo'^yi h'we T i^htn hlal £/s/ei^ fokd?. 

pile Xl E (I'iV / t = iX Ad .?( Sxj iiil-k) 

. A ns,, . iXij 

A ‘^1 


y^ce EM[T) r. d ij] 

A =1 ^ 


lAV) 


VIIM4 


ORIGINAL PAGE IS 

OF POOR QUALITY 


to t 'kole P[ ^ t) P(t>. (S ^,= U 

o/vid p( =') ' P(s^ vs_, 

' A 

[A() 


j»L D 

A/. ^ 


Fu'vfk-r P(Si>4^a'=)'P( 21 Irr ,<s] **‘l 

jri l:iij j 


Wt 


P(?I 


1=' 


[•SiV *'] 


< X, 


.) 


= £ M er[-Li-(K-ii)] 

JV. } 

- £ t If) (il erf-U' (Mi-I-J <1^)1 ^ (AV 

Co%hi'A\^ Ik GX|5re^ii'o')if (Aijavicl (A7J aV(A 6) ue 

ou^ Te^w-lkuj i^A(A^») ^ Xv\j6^i x.v^Io(As) 

av^d AVifp^'^al-e ou^ )l\9 f^&'rvuj. Ue I^Iau? oL'ai'u 

ore rl 7" 7 7-7 ('^•\ 

2 _--^ Z. -A -j(ry-Ui,)W/ Kl 


h) 

/.= i 


VIIMS 


ORIGINAL PAGE IS 
OF POOR QUALITY 


Ji'Hu’h'fly d 6 ol}-iat''h AM 





H^SSrh'u^ Ihi'f expr^e^StOh AU^o[A‘i) mj puHf^t^ H\rou/^k 
Si^y^l^^h'oh ZT 0J£ McxiM 

il~t 





a!- I 



vin-i 6 


ORIGINAL Aiiii 
OF POOR QUALITY 


So%^e IrdyiSv/al Ikcoy^l^'C r^^uHs Civcl 

CO'MC^rUt'i*^ ACUT, 

\ 

CoviSCder H\e folloUt^i^ k(h^e CohSiskuj 

0^ (X ^C]A(le Aux'kifep'f 0^ OOy^pO^\ev,i:s. ji\e 'YOi'lA.Jo'l^ 

bj, //i(? S/sfe^'r^i ^'s deworQ<J h/ T a\J af Ilie h'ute of 
fai7uv6 \)dt obsSrvS fQuJovh HlA'HihPy M cj CoiMpaythxh 
H\ai- ka\/e faiho/, Af faclure S/fh'^ a's re^xeu/ec/^ Ale. 
all ih cow[pone\Ai^ ore reshred -^o new. [ h ^e case of 

8x povieviii al co^pon.e'h/ failure h'i4^ef aulj iLe foc/eJ 

COUiponeu^^ (^li! need 'repair 0"^ rep/cxcerHevLi.) 

flu'f procedure Aude (Cvuie!/ al edtlt sysie^i fac/ure 

0)t ikuf C'yeah a reneiAd f>roCGss 

idliO'Yd 7/ a's I'ke h'lAiS heiu>ee'v\ iLe a-i si- auo/ failure 
of Hie j/ffenA md Mji as ke nuiuher of jailed couipo^e'hk 
(x(- ll\e Syf(e%failuyt, [TI^I^l)^ (Ti-j ^t) Xj ass n'^ed 
h he a Jecjne'u ce <f Xudepeuc/^nf au.d A'd^nhXa.11^ 
di'Shi'hixhd btvOiyLOile yando%i i/ethys (ji'A ^ean 
[£ Tj • lo auocd Iri'i/ialiii'es soe a^su/iH^ Et > o, 

Be ft'iie I'he fo/loioiu^ Couuhuj raudon yayraUes i 

o\ 

d[0-=' dPtaxfdi oilA^hey of'r€^eu)ah <tk 

A/for ^ ^ n MU her cf eo^ipohenls replaceol [o^ (:], 


vin-17 



ORIGH^AU PAQS !S 
OF POOR QUALITY 


l/^e C^Oi ^OIjJ -^h'tO fl/it UsOyPlM phhi'^Cu^ 

^IaQ ^v^'rage Atu-vt^tfir of. co'HAfone^fs Teplacsol per 'U'ucf 

kw [ACUT)'^ 

Theor em / a; Em/bT as 

iji% proUhrAi/ i 

L) E^/et a/ 

proLtxkilijf i 

c) EMK)/t — >EM/et aJ' 

Piscusst'O'Hi <^) ca^U cohscdSyec/ 

4,-i 4 : 1 

OS' 0. k'%\e a^e^aje ov^'r ye'net^(^l percocis j 

AKu/t a\ i>) cayi he co^JCc/ereJ as a H'me a^e^aje 

0\ier i'ke xul-6r ual £ 0 ^ tj O'^d EH[i)lir a'u c) Ca^y 
he copifCclMc/ as Ake h'iue ai^Bvaje o! fki Q/pec^eJ 

^ixwkSr df rSpIctCsJ Conypotien/s a'u <^e Evy^erm! [o^lr]. 

stahier IjUccU oj. He oloove avS^<Xje nAok'oiAS U)6 adofi-^ 
/■u He liiULf los%-^ *^ or U)e o^pproc^tA Hie doine 

i/a/ufi EM/et. 


0R1G5IIA1 t ’ 5 
OF POOR QUAUTY 


\:U 


Pyoo| o( \^e a) OiVi jCiM'^^diOik co\^fecjUP^r^ 0 / 

ii\G rlvouj law oj. loiYje, /nu'U\6pirj', 

4 s jot k) ; Uri^t 

Af(y/t = (^'m/ /nh) )■ (l^[ii/i) 


A.’-l 


sUhoIu'^cI iliSOY^ (&ayloO ai^d P^'osc/ta'u ^.In) 

(ot kavP t^ii^/i i/s'T QiS a><V4 prt?haloiUi^ i, 

SCviCe B M Oi-*- ^ OiV\J 

(j^'lL proho-bi'/ri^ 1 iieob fa(’Pi ^ / J^(i} B M dS' 

loilk prokaihclid^ 1 ^ cskCcA pro\/es . 

As lor C-) ! hk Haol^ {/^4t^'^l = oij = 

(s 4Ma6pf)udevLf vj, y -VW + i -t’/ a 

-t’lAj feme liifi i'ecjuc'Rce — 

(-teuce Wald'^ fi^jua-fi'ooi (Bavlou) cxwol Pnro^cAa'^i f,p 
io« Uve 

e( r m^I-'bm [Em^ ^) 


x~t 


TTie ekwevyl-ayy H'Heua/ ^^oyPyy\ CRosr ^I'eld, 


Em{{- VfT aj> i 


oa 


k-yice EH(t)li ^ E/^[£Afii) h)/It f E i-^ Em/e 


as i 




q.Q.J. 


vin-i9 


ORIGINAL PAGE IS 
OF POOR QUALITY 


/4 l/Jp 


<S> 


CXaii^jolB ItJY MyBF"£T (/i'i) 

— Lr^U-^2.hi*/o^^ 

Qxpfesfiov\^i) (tiip^joY^u H\i sua^di^ahou 4lu 
follows I Yh Back auAhi'\A(ik(M ffj-vjV i ^'^ol\*ces /w 
oulxccle H Ju'Vmj (*it pFy jo'rin%Q Jutwvt^aK’ou ^ ll^t A\/fde V J'u'Mr 
flud iiA IkB Bud ut Juus o\/8'^ all J{^o5^ N^uw! Co*t"<cr)pouo/i’Mj U 
ail CiKubCuak’OMS((,^.^ j\) 

COLuhiiiOiliDU (j\j.-.^j<i) JuwmkinA ifj x,'ujt'a(e ^ Jmvuj 

(0,0^£?^0) ‘ (51i^3L»i3/.,f3^j"^ ^ULmWo"- 

[U, -- 2 Msoin> 

I 

5[ (5L,*SL,iiLjiil,)'-(iUii> *5l,i3i,)'^J= l.amkhf 


[OjO,C ,0 
(Oj 0 ^ 1 , 0 ) 
[ 0 ; >y 0 , 0 ) 


[i, 0,0, a) 

(V/ 


iAvue luj J^ii^iuely I' 

3 ^ [(H,^JU^ 3 LJ^ 9 L^F-■l 3 L,iUt^jL!HLfj'^ 

-(Sill 5U 3L,*iL1)'‘^(5L,l9Ul 3liHli)'^]--smW’lo^ 


YlU -20 





[o,i, 0,)) 


[l;0/,0 
[1,0, 1,0) 
[0, I, 0) 




ORIGIfJAI. mit u 
OF POOR QUALITY 

as 

/ [ ( 3 L, 1 8 It ) <4 ' < U) " ^ 

-(3L,. 9i. 5 W'Mu, • 3U. 31 , » '■ 

,^L,UU3U*8m' + l3li'3U'3U>3U) ]-i,7/VW8V'0‘ 

Jmt 

-fil,^ 51. ^ i - liii/fit'’ ^3ly] 
*(jL,<5UJSi,»3lvr‘»f3L,aUOi,*3l.y)' 

* (Ui) 31.ti8l-3 L34f-bt,l 5iv>3L, t9L,r]= l'.t3^573y3'/0 

Jaiue ^ 


VIII-21 


ORIGINAL PAGE IS 
OF POOR QUALITY 


foy (/ 1 ) I) nL,rt ^u,|}k^iUln/ 

- [iLiitk iJUtLif. l5l,*n,in,i3ii)'' 

^ [iL, I iUi 3i, uLifUil-i > 3U f IL, J= iMW’iy 

4 

>[!l,ilUi9L,,3L^f\iiL,HLi iUtU^y* 

[it, lUti 

^{^L,^3U t }Lj f 5t,)''-i3l,)3|j3l5+)4|-‘ 

- (3!.,(3U nwr‘ • biitHinij 

- [fl.,nU(3Ljt34f‘+(3L,*3Uf3l.,01-7j'’J=7^5»553Mo‘ 

vni22 


ORtGINAL PAGE W 
OF POOR QUALITY 


jutum'uA A Mm [i.uSi^iWoh- \masMto') 

lii’elols BT = i?rs; miU ^izss-. f 

toliSrsat [if* ^ M/=i (uM ifoMie U' ii6^Vi4 

/V .41 

E T ^ iso.%oon ISO. s 

Fo-( ecus k'^'C %,-.■ omJL* ctTUeftf/S 

i;e obfai't^ i'u fke Mm /Manu?rB'eii>/i)Ciu^ fa^JS ^ T(uaJQ 
a'u Hit ckove i)/efai'l(ol Brjaluakou Mt K> Auh'de JuMt) 

E T '= leiO.iiloV l^U.o 

LokS'tCHS’ It/ ji-'i Xi'-ff-i o-uJ JoAMt L^‘ w 

V < 

£ V . L kc) - wr/r/f ^ Sn c- 



ORIGINAL RAGE IS 
OF POOR QUALITY 


0 )(Oi^]/)k f(Tf E Kt) 

A/y »• J L;isL^»S’ K/O"^ 

lUfu^ ^}(prePS'('D'^ (i) 4)6 perfo'Tfu /^e I'u 

^IcfS (xs^ loll t For B 0 icJ\ coiabi'Hah'oH 4 

Xudi'CtS’ AU Pke OILIJCcIc 9 JUWf pBrfortM HiS JUUUMdh'ou 
of fkt Xi^Side H apJ Xu bht ^ud cjB Ju%t o^e^i all Eiose 
Jumf Corvespoud/'u^ h all couAhiVakous 


COMAkiiidhou Ju^makou yj Xuh’Jf yjum 


(o, 0, 0, 0/ 

0 

(o, 0, Oj 1) 

- L(j [L i*U / Li)'^ = -MHooii 

[o, 0,1,0) 

JQjtje ky y^msly^ v 

h, 0^ 0, o] 

-^L,iL,iUiiiUi,f^ . -./W7i5S'z 

[o, (/ 0/ 0) 

ky jyi^uAahy *• 

0,1, 0,0} . 

^(l,fU( 3i,^SU3il*31y^‘] --Mlvnnt, 

OiYii) 

i-[L,imi3L,l3LjHL^t3L^)'^] = -.imaS2p 


Vlir-24 


ORIGINAL PAGE IS 
OF POOR QUALITY 


[i 0.0,1) 

t[LilLi)[SL,lBUiSLiHLir^ 2 - -.niW/S^} 

(Oil/.O) " " 

lw,0) f[-L,(U,iUjH.iU/'-LM,^3U*tL,nL/‘ ^ 

.U[>L,l3U3k>3Q-UlL,>U)l3h>^L,Mii3Lj ^ 

f[Li> hf^L, t!Lt>3L.i * [Uil-i)(l i-.l 3U> 3 L^‘ Bill ■ 

-[L, I L.* L:i) 1 3L|^ BU*31-: '3Lfj ] ^ -.oVBo:!3-.V 

[l,l,0,i). Jawe h} By iK-me^r ’,1 " 

iO,ljl,i) f[-UULil3Uin,Hl^f-UBL,ilUl3kl3h)^ ^ 

- iy (3Li3L, ai>l 3hf' [L,iU)[3l;Hl,i3l,tSh)' 

t{Uai)l3i,>iUiUii3hfi{L.iLi)l3i,au*3L,nL.,)''^ 

- (L.Usth) [siil3Ui^3li^3l-fl 3 rr -Jl!3^Jl2T/ 

[lOjIiO Jme l>i " 


VIII -25 


ORIGINAL * 

OF POOR QUAUTY 


[ill,',') H^l- lUyfi lJHi tSL. 1 6 k l3Lff‘ 

~ Lt l^kt fkHk^^k) ~ L^lH, ik ^ 

i{L,tU)lSkiSUHU ^<ti.f)-‘-4 kidi)l>L,ilUiiktHi)’\ 

i(Li Ui) (H,4Sknl, Hkfiik iLi)l3hltU Hk >3hf‘' 

HUlk)lUi HUHLjl'Hf)'** lUik)lBl,HL,,}U I3k)'‘ 

- (/, 4 UUi)( 3 l,i 3 UtsLi-i-Hi)'-(l, 4 LUr)/Uif 3 kifk>Blf)'^ 

- (L, I Ij I iy)[ Sk/fUl 31, 1 3 Lf)-*- (u U, I ij U, 4 3L, 43L, 43kf 
4-{L,4 U4L2lL^}i3L,43U4-3k43Li)'’-'] = -JOUll/U 

JuMdti'uo fhut M Aider uie.o/i'akJU'MS loe elohuu 

(/ 

0 f 1 - 3 , oo/iom)i ^- • ^ l-JoU 27 i 6 i) 

ii}k(lA ijiM E HiThi- l-tTsmzui) 
km E Hiv/MUf ^ IM515Uhlo^^ Lm^io'' 

fh'^ Ik CaS£ /-/ Erl - t-*-' -Ki-i- (\Uol E as iejoye 

U)t Ita^e E E[TJ- d. ChiVtally) 

Ijokak yields acut-= hiiu * lo^ ^mnio^ 

Eoy l-ke tare k7 Xt-“-Xv^2 au.dUasU/oye 

i)dt oIoIoli’i^ A.'Vi fk jQ^e rUtaUu&r (T-ejahxCCuj (f lZuxI 3 hy 

1 (xud 2 AM Hit (xLove dtl(x^'k(i 9 \/qIu a fcou ^ llie 

AiASide Jutus) 


VllI -26 


°miNAL page is 
P oop QUALITY 


F n[r]~ i.iuini,ii « uu 
hice Ml^rr-^ E m / MUF - UinFS- m2 * lo 

\ 

lijliheaj ike case U^-- - 2i=---->^i-L 

Oitkayt EM{t)^l 

lokck ycsidi ACIST-^ lMiylo^<^ !M>ld 


VUl-27 


/ 


dXuJ ^ 
3 


ORIGINAL PAGE IS 
OF POOR QUALITY 


The comaindor of appendix Vlir consists of output from the 
reliability simulation and a listing of the program. 


OF pS fci 
p POOf? QUALITY 


79/08/U. 12.23,14 
KK82 17 5D.no 4 6 0.4 ID 


79/08/05.DS-0 


20. 21. 28. 79/08/09. 


a'KRMINAD 5, TTY 

RKCOVEU/USER ID; j rose 

N>call,box 

INPUT THE TOTAL NUMBER OF BOX FAILURES TO BE RUN 
(SUGGEST A minimum OF 1000) 

I>10000 


THERE ARE 4 DIFFERENT TYPES OP COMPONENTS (CLOCK, CPU, MEMORY, AND I/O PORT 
EACH TYPE HAS 9 COMPONENTS, SEVEN OF WHICH MUST BE OPERATING FOR THE BOX TO 
OPERATE 

COMPONENT MEAN TIME BETWEEN FAILURES 


30000 HOURS 
20000 HOURS 
20000 HOURS 
30000 HOURS 


<<<<►<* <’<'<•>>»>>> 

<< >> 

<< RESULTS >> 

<< >> 

<<<<<<<<>>>>>>> 


TOTAL BOX OPERATING HOURS = 2560.2470 YEARS (22427764.1456 HOURS) 

'I 

TOTAL NUMBER OF FAILURES OP THE BOX = 10000 
MINIMUM NUMBER OF COMPONENTS FAILED WHEN THE BOX FAILED = 2 

MAXIMUM number OF COMPONENTS FAILED WHEN THE BOX FAILED = 5 

AVERAGE NUMBER OF COMPONENTS FAILED WHEN THE BOX FAILED = 3.2489 

TOTAL NUMBER OF COMPONENTS FAILED = 32489 


COMPONENT 

REMOVAL RATE 

(REMOVALS/OPERATING HOUR) 

NUMBER OP 
FAILURES 

FAILURES AS 
% OP TOTAL 

CLOCK 

2.85584E-04 

6405 

19.71 

GPU 

4 .34640E-04 

9748 

30.00 

MEMORY 

4.29780E-04 

9639 

29.67 

I/O PORT 

2.98603E-04 

6697 

20.61 


BOX REMOVAL RATE = 4.45876E-04 REMOVALS/OPEPATING HOUR 


comment. RUN COMPLETE 
N>bye 

JOB PROCESSING CRUS 3.579 

TOTAL JOB PROPRIETARY CRUS 3.272 

JOB PRINTING CRUS 0.434 

BYE 79/08/11. 12.25.47. 


CLOCK 

CPU 

MEMORY 
I/O PORT 


Vm-29 


ORIGINAL PAGE IS 
OF POOR QUALITY 


TITLE! BOX RELIABILTY SIMULATION 
ANALYST: JIM WASSAL 

ENGINEER! JOHN ROSE 
DATE: JULY, 1979 

ABSTRACT :THIS PROGRAM SIMULATES 4 DIFFERENT STAGES OP A 

HYPOTHETICAL FTMP WITH 9 COMPONENTS PER STAGE. 8 OF THE 9 
COMPONENTS IN EACH STAGE MUST BE OPERATIVE FOR DISPATCH. 


PREAMBLE 

NORMALLY, MODE IS INTEGER 

permanent entities 

EVERY TYPE HAS A MTBF, A NUMBER. FAILED AND A TOT. FAILED 
DEFINE MTBF AS A REAL VARIABLE 
EVERY TYPE AND UNIT HAS A STATUS AND A TIME .TO. FAILURE 
define time. to. failure as a real VARIABLE 
EVENT notices 

EVERY FAILURE HAS A TYPE. FAILING AND A UNIT. FAILING 
DEFINE LIMIT, MAX . FAILURES, COMPONENTS . FAILED, 

SUM. OF. COMPONENTS. FAILED, TOTAL. FAILURES AS INTEGER VARIABLES 
TALLY MIN. COMPONENTS. FAILED AS THE MINIMUM, 

MAX. COMPONENTS. FAILED AS THE MAXIMUM, 

AVG. COMPONENTS. FAILED AS THE AVERAGE AND 
TOT. COMPONENTS. FAILED AS THE SUM OF COMPONENTS . FAI LED 
DEFINE GOOD TO MEAN 1 

DEFINE BAD TO MEAN 0 

DEFINE EXCEEDED TO MEAN 1 

DEFINE RESET TO MEAN 0 

END • 'OF PREAMBLE 





vm.30 


original 

OF POOR QUALITY 


MAIN 

DEFINE FIRST, FAILURE AS A REAL VARIABLE 
USE UNIT 7 FOR OUTPUT 
PRINT 3 LINES THUS 

INPUT THE TOTAL NUMBER OF BOX FAILURES TO BE RUN 
(SUGGEST A MINIMUM OF 1000) 

READ LIMIT 
SKIP 2 LINES 

CREATE EACH TYPE(4) AND UNIT{9) 

PRINT 20 LINES THUS 

there are 4 DIFFERENT TYPES OF COMPONENTS (CLOCK, CPU, MEMORY, AND I/O 
PORT) 

EACH TYPE HAS 9 COMPONENTS, SEVEN OP WHICH MUST BE OPERATING FOR THE B 

OX TO 

OPERATE 

COMPONENT MEAN TIME BETWEEN FAILURES 


30000 HOURS 
20000 HOURS 
20000 HOURS 
30000 HOURS 


<<<<<<<<>>>>>>> 
<< >> 

<< RESULTS >> 

<< >> 

<<<<<<<<>>»>>> 


LET MTBF(l) » 3 

LET MTBF(2) = 2 

LET MTBF(3) « 2 

LET MTBF{4) = 3 

LET FIRST. FAILURE « RINF.C 

FOR EACH TYPE, FOR EACH UNIT, 

DO 

LET STATUS (TYPE, UNIT) = GOOD 

LET TIME. TO. FAILURE(TYPE, UNIT) - EXPONENTIAL.F(MTBF(TYPE) ,3 ) 

IP TIME. TO. FAILURE(TYPE, UNIT) < FIRST . FAILURE , 

LET FIRST. FAILURE » TIME. TO. FAILURE(TYPE, UNIT) 

ALWAYS 

LOOP 

FOR EACH TYPE, FOR EACH UNIT, 

SCHEDULE A FAILURE GIVING TYPE AND UNIT 

IN TIME.TO.FAILURE(TYPE,UNIT) - FIRST .FAILURE HOURS 
START SIMULATION 
END ' 'OP MAIN ROUTINE 


CLOCK 
CPU 
MEMORY 
I/O PORT 


VllI-31 


ORIGINAL PAGE 18 
OF POOR QUALITY 


EVENT FAILURE GIVEN TYPE AND UNIT 
IF TOTAL. FAILURES >=> LIMIT, 

PRINT 7 LINES WITH TIME .V*10000/36 5 , TIME.V*240000, LIMIT, 

MIN. COMPON ENTS .FAILED, MAX . COMPON ENTS . FAI LED , 

AVG. COMPONENTS. FAILED, TOT. COMPON ENTS. FAILED THUS 
TOTAL BOX OPERATING HOURS » *.*#** YEARS ( HOURS) 


TOTAL NUMBER OF FAILURES OF THE BOX » 
MINIMUM NUMBER OF COMPONENTS FAILED WHEN THE BOX FAILED » 
MAXIMUM NUMBER OF COMPONENTS FAILED WHEN THE BOX FAILED ■ 
AVERAGE NUMBER OF COMPONENTS FAILED WHEN THE BOX FAILED * 

TOTAL NUMBER OF COMPONENTS FAILED » 


SKIP 3 LINES 

PRINT 12 LINES WITH TOT . FAI LED ( 1) /TIME .V/2 40000 , TOT.FAILED(l ) , 

TOT . FAI LED ( 1 ) /TOT . COMPONENTS . FAI LED*1 0 0 , 
TOT,FAILED{2)/TIME.V/240000, TOT . FAILED( 2 ) , 

TOT . FAI LED ( 2 ) /TOT . COMPONENTS . FAILED‘1 00 , 
TOT.FAILED(3)/TIME.V/240000, TOT.FAILED( 3 ) , 

TOT . FAI LED { 3 ) /TOT . COMPONENTS . FAILED* 1 00 , 
TOT.FAILED(4)/TIME.V/240000, TOT . FAILED( 4 ) , 

TOT. FAILED( 4 )/TOT. COMPONENTS. FAILED*100, LIMIT/TIME .V/240 

000 THUS 

REMOVAL RATE NUMBER OF FAILURES AS 

COMPONENT (REMOVALS/OPERATING HOUR) FAILURES % OF TOTAL 


CLOCK 
CPU 
MEMORY 
I/O PORT 


« * * ^ 

« * * * * 

A # ilr A * 

A A A A A 


♦ ^ ^ * ft 
A A ^ A ft 

A ft ^ ft A 
A A A A 


BOX REMOVAL RATE = REMOVALS/OPERATING HOUR 


STOP 

ELSE 

LET STATUS (TYPE, UNIT) = BAD 
ADD 1 TO NUMBER. FAILED(TYPE) 

ADD 1 TO TOT. FAI LED (TYPE) 

IF NUMBER. FAILED(TYPE) = 2 OR MAX. FAILURES = EXCEEDED, 

FOR EACH SAME. TIME. FAI LURE IN EV. S ( I . FAILURE ) , 

WITH TIME. ACSAME. TIME. FAILURE) = TIME.V, 
FIND THE FIRST CASE 

IF FOUND, 

LET MAX. FAILURES = EXCEEDED 
RETURN 
ELSE 

LET MAX. FAILURES = RESET 
■ ADD 1 TO TOTAL. FAILURES 
FOR EACH TYPE, 

DO 

ADD NUMBER. FAILED(TYPE) TO SUM. OF. COMPONENTS .FAILED 
LET NUMBER. FAILED(TYPE) * 0 

ALSO FOR EACH UNIT, WITH STATUS (TYPE, UNIT) = BAD, 

DO 

LET STATUS (TYPE, UNIT) = GOOD 
SCHEDULE A FAILURE GIVING TYPE AND UNIT 

IN EXPONENTIAL. F(MTBE 'TYPE) ,3) HOURS 

LOOP 

LET COMPONENTS. FAILED = SUM .OF .COMPONENTS. FAILED 
LET SUM. OF. COMPONENTS. FAILED = 0 
ALWAYS 
RETURN 

END "OP EVENT FAILURE 


APPENDIX IX 

HYPOTHETICAL FTMP COST AND BENEFIT ANALYSIS 


An example is provided in this appendix of a Cost and Benefit Analysis of two 
hypothetical configurations for Fault Tolerant Multiprocessors (FTMP). The first 
configuration FTMP9, consists of 4 stages with 9 components in parallel in each stage 
and a requirement that at least 8 out of 9 components in each stage must be operating 
for dispatch. The second configuration, FTMP8, also consists of 4 stages but all 8 
components of each stage are required for dispatch (i.e., no replication for dispatch 
reliability). 

The question to be answered is "Does FTMP9 justify the additional investment 
required?" 


For the example, it was assumed that FTMP8 or FTMP9 are required for an active 
control system which results in 2964 and 2960 pound reductions in structural weight 
for the respective alternatives. 

The current version of ACES was used for the analysis. Removal rates used for 
FTMP9 were derived in appendix VIII. While there are a number of shortcomings in the 
current ACES type of analysis, the analysis does serve to indicate the advantages of 
replication and importance of accurately assessing delay, cancellation, and spares 
cost, which turn out to be very significant in the sample analysis. Note that ACES in 
its present form does not answer the question "Are the weight savings benefits of 
either scheme economically justified?" and in any event a total Fault Tolerant Active 
Control System Analysis would be necessary for this purpose. 


***************#'fc*^lr'*ff^**********lll(*** A ************** 


DESIGN TOTAL COST OF OWNERSHIP SUMMARY 

PROGRAM TEC038 ORIGINAL PAGE IS 

VERSION C038G1 OF POOR QUALITY 

RUN DATE 08/10/79 


ANALYST OHARE/7-0102/9R-27. AIRPLANE MODEL 767 

INVESTMENT ASSUMPTIONS FOR CASE FTMP8 OF DESIGN FLT-CNTRL 

BASE YEAR FOR EQUIVALENT VALUE 1979 

TAX RATE 50.00 PER CENT 

INVESTMENT TAX CREDIT RATE 10.00 PER CENT 


TAX DEPRECIATION LIFE 


10 YEARS 



USEFUL LIFE OF PROJECT 


15 YEARS 



EQUIPMENT LIFE 


20 YEARS 



FLEET SIZE/YEAR 

9 

. 21. 30. 

• • • 

30. 

INFLATION RATE/YEAR 

8. 

00 8.00 8. 

00 . . . 

8.00 

MIN. ATTR. RATE OF RET 

./YEAR 15. 

00 15.00 15. 

00 . . . 

15.00 

COST ANALYSIS - (SEE D6-42875 FOR DEFINITIONS) 






PEX 

PEX. AV. 

ENTITY 

CUMULATIVE 

CUM. PRESENT 

PC OF 

DOLLARS/ 


CASH FLOW 

EQ. VAL(PEX) 

IC+OC 

FLT. HR. 

INVESTMENTS; 





AIRPLANE 

-1740896. 

-1512925. 

***** 

-1.35 

ROTABLE SPARES 

-292058. 

-250831. 

-66.7 

-.22 

EXPENDABLE SPARES 

-342. 

-342. 

-.1 

-.00 

GROUND EQUIPMENT 

0. 

0. 

0.0 

0.00 

SPECIAL TOOLS 

0. 

0. 

0.0 

0.00 

BUILDINGS 

0. 

0. 

0.0 

0.00 

RAMP EQUIPMENT 

0. 

0. 

0.0 

0.00 

TRAINING EQUIPMENT 

-10000. 

-10000. 

-2.7 

-.01 

MAINTENANCE MANUALS 

0. 

0. 

0.0 

0.00 

OTHER 

0. 

0. 

0.0 

0.00 

OPERATING COSTS: 





MAINTENANCE LABOR 

-211136. 

-72153. 

-19.2 

-.06 

MAINTENANCE MATERIAL 

-284406. 

-97372. 

-25.9 

-.09 

MAINTENANCE BURDEN 

-441597. 

-151089. 

-40.1 

-.14 

SPARES HOLDING 

-698534. 

-240781. 

-64.0 

-.22 

MAINTENANCE TRAINING 

-32215. 

-16356. 

-4.3 

-.01 

FUEL/WEIGHT 

12357833. 

4156416. 

***** 

3.7 2 

DELAYS/CANCELLATIONS 

-3931561. 

-1378459. 

***** 

-1.23 

AIRPLANE INSURANCE 

-121461. 

-49794. 

-13.2 

- . 0 4 

OTHER 

0. 

0. 

0.0 

0.00 

RETIREMENT COST: 



. 


NET CREDIT 

0. 

■ 0 • 


0.00 

TAXATION: 



■ 


INVEST. TAX CREDIT 

184532. 

162528. 


.15 

DEPRECIATION CREDIT 

1021477. 

621815. 


.56 

INCOME TAX BENEFIT 

-3318462. 

-1075207. 


-.96 

TOTAL 

2481174. 

85451. 

100.0 



i ■■ 


C# 






ii 


© 






.<nh 


© 


IX-2 





ORIGINAL PAGE IS 
OF POOR QUALITY 


DESIGN TOTAD COST OP OWNERSHIP SUMMARY 

PROGRAM TEC038 

VERSION C038G1 

RUN DATE 08/10/79 




ANALYST OHARB/7-0102/9R-27. AIRPLANE MODEL 767 
INVESTMENT ASSUMPTIONS FOR CASE FTMP9 OF DESIGN ELT-CNTRL 


BASE YEAR FOR EQUIVALENT VALUE 
TAX RATE 

INVESTMENT TAX CREDIT RATE 

TAX DEPRECIATION LIFE 

USEFUL LIFE OP PROJECT 

EQUIPMENT life 

FLEET SIZE/YEAR 

INFLATION RATE/YEAR 

MIN. ATTR. RATE OP RET. /YEAR 


1979 

50.00 PER CENT 

10.00 PER CENT 
10 YEARS 

15 YEARS 
20 YEARS 
9. 21. 30. 

8.00 8.00 8.00 

15.00 15.00 15.00 


8.00 

15,00 


COST ANALYSIS - (SEE D6-42875 FOR DEFINITIONS) 


ENTITY 

INVESTMENTS ; 

AIRPLANE 
ROTABLE SPARES 
EXPENDABLE SPARES 
GROUND EQUIPMENT 
SPECIAL TOOLS 
BUILDINGS 
RAMP EQUIPMENT 
TRAINING EQUIPMENT 
MAINTENANCE MANUALS 
OTHER 

OPERATING COSTS: 

MAINTENANCE LABOR 
MAINTENANCE MATERIAL 
MAINTENANCE BURDEN 
SPARES HOLDING 
MAINTENANCE TRAINING 
PU EL/WEIGHT 
DELAYS/CANCELLATIONS 
AIRPLANE INSURANCE 
OTHER 

RETIREMENT COST: 

NET CREDIT 

TAXATION : 

INVEST. TAX CREDIT 
DEPRECIATION CREDIT 
INCOME TAX BENEFIT 


CUMULATIVE 
CASH FLOW 

-1978291. 

-162303. 

-374. 

0 . 

0 . 

0 . 

0 . 

- 10000 . 

0 . 

0 . 

-77224. 
-310234. 
-367728. 
-392917. 
-32215. 
12341156. 
-1317607 . 
-138024. 
0 . 

0 . 

194489. 

1075297. 

-4852604. 


CUM. PRESENT 
EQ. VAL(PEX) 

-1719232. 

-141043. 

-374. 

0 . 

0 . 

0 . 

0 . 

- 10000 . 

0 . 

0 . 

-26390. 

-106215. 

-125862. 

-136019. 

-16356. 
4150807 . 
-461971. 
-56584. 

0 . 

0 . 

171488. 

655651. 

-1610705. 


PEX 

PEX. AV. 

PC OP 

DOLLARS/ 

IC+OC 

PLT. HR. 

***** 

-1.54 

-10.4 

-.13 

-.0 

-.00 

0.0 

0.00 

0.0 

0.00 

0.0 

0.00 

0.0 

0.00 

-.'7 

-.01 

0.0 

0.00 

0.0 

0.00 

-2.0 

-.02 

-7.9 

-.10 

-9.3 

-.11 

-10.1 

-.12 

-1.2 

-.01 

307.3 

3.72 

-34.2 

-.41 

-4.2 

-.05 

0.0 

0.00 

0.00 

.15 

.59 

-1.44 


TOTAL 


3971422. 567195. 100.0 


lX-3 


INVBvSTMENT ANALySIS 


ORIG»NAt PAGE » 
OF POOR QUAUTY 


DESIGN PDT-CNTRL 

COMPARISON OP CASE PTMP9 AND CASE FTMP8 


ENTITY ; 

CUMULATIVE 
CASH FLOW 

CUM. PRESENT 
EQUIV. VALUE 

cumulative 

CASH PLOW 

CUM. PRESENT 
EQUIV. VALUE 

INVESTMENT 

-2150967. 

-1870649. 

-2043296. 

-1774098. 

OPERATING 

9705207, 

3221410. 

6636924. 

2150413. 

RETIREMENT 

0. 

0. 

0. 

0. 

TAX 

-3582818. 

-783566. 

-2112453. 

-290864. 

TOTAL 

3971422. 

567195. 

2481174. 

85451. 


COMPARISON OP 

CASE PTMP9 

MINUS CASE FTMP8 

ENTITY; 

CUMULATIVE 

CUM. PRESENT 


CASH FLOW 

EQUIV. VALUE 


DIFFERENCE 

DIFFERENCE 

INVESTMENT 

-107671. 

-96551. 

OPERATING 

3068283. 

1070997. 

RETIREMENT 

0. 

0. 

TAX 

-1470365. 

-492703. 

TOTAL 

1490248. 

481744. 


INVESTMENT IN CASE FTMP9 


INSTEAD OP CASE PTMP8 


YEARS TO PAYBACK PRES.EQ.VAL. OF CASH X.97 

EXTRA RETURN ON INVESTMENT 12.67 

MINIMUM ATTRACTIVE RATE OF RETURN 15.00 15.00 15.00 

COMBINED RATE OF RETURN 27.67 27.67 27.67 


15.00 

27.67 



APPENDIX X 


Partition Theory for Counting Possible packaging Schemes 

With the advent of inexpensive » large and very large scale 
integration and the geometrically increasing cost of 
maintenance labor# the widespread application of throwaway 
and/or replacement modules is just around the corner. 

This will permit more freedom tlian heretofore to package 
avionics systems such as the fault-tolerant flight control 
system, FTFCS. Other innovations will also be seen such 
as actuators, sensors, and specialized computers packaged 
as a unit. Optimization of packaging is a very relevant 
consideration for the FTFCS and this appendix addresses 
the problem of determining the number of unconstrained 
packaging arrangentents which can be made from N components. 
How many ways a group or N components can be packaged 
is treated by an application of combinatorial mathematics. 
The number of distinct ways N different objects may be 
arranged is Nl If N(1) are of one category, N(2) are 
another, and so on, then the number of distinct patterns 
becomes 


X-l 



ORIGINAL PAGE IS 
OF POOR QUALITY 


N! Where 

N(1) IM(2) I . . . N(K) 1 

N(1) ♦ N(2) ♦ . . . NiK) = N 

However f it N(X) = N(J) t 1^ then the relationship becomes 



N(1) i N (2) ! . . . N(K) t 

where there are g pairs, triplets, or n-tuples. A simple 
illustration will demonstrate the principles involved. 


Of?lGiNAL PAGE IS 
OF POOR QUALITY 


Consider tour objects A, B, C and D. 


No. o£ Distinct 


Partitions 

Packaqe 

Packaqinq 

IS 

4 

ABCD 


1 

3+1 

A-BCD 

4! = 

4 


B-ACD 

3! 11 



C-ABD 




D-ABC 



2*2 

AB-CD 

41/2 = 

3 


AC-BD 

2! 21 



AD-BC 



2 * 1*1 

AB-C-D 

41 

6 


AC-B-D 

2! 2! 



AD-B-C 

A-B-CD 

A-C-BD 

A“D-BC 

1+ 1 ♦ 1 ♦ 1 A-B-C-D 1 

TOTAL ' 15 

The calculations ±or N = 1 through 6 are shown below 

X-3 



ORIGINAL PAGE IS 
OF POOR QUALITY 


Partitions 

Examples 

PacKagings 


Total 

1 

A 


1 


2 

AB 


1 


U1 

A-B 


I 

2 

3 

ABC 


1 


2+1 

AB-C 

31/211! 

= 3 


1+1+1 

A-B-C 


1 

5 

4 

ABCD 


1 


3+1 

ABC-D 

41/3! 

= 4 


2+2 

AB-CD 

4!/2!2!2! 

= 3 


2+1+1 

AB-C-D 

4!/2!lll! 

=3 6 


1+1+1+1 

A-B-C~D 


Jt 

15 

5 

ABCDE 


1 


4 + 1 

A-BCDE 

5!/4! 1! 

= 5 


3+2 

ABC-DE 

5!/3!2! 

= 10 


3+1+1 

ABC-D-E 

5 1/3! 2! 

= 10 


2+2+1 

AB~CD-£ 

5l/2!2!2! 

- 15 


2+1+1+1 

AB-C-D-E 

5!/2!3!' 

= 10 


141+1-+1+1 

A-B-C-D-E 


1 



'S 

^OQR quality 


6 

ADCDEP 

5t1 

A-BCDEJ’ 

4+2 

ABCD-EF 

4+1+1 

ABCD-E-F 

3+3 

ABC-DEF 

3+2+1 

ABC-DE-P 

3+ 1+1+1 

ABC-D-E-F 

2+2+2 

AB-CD-EP 

2+2+ 1+1 

abk:d-e-p 

2+ 1+1+ 1+1 

AB-C-D-E-P 

1+1+ 1+1+ 1+1 

A-B-C-D-E-P 


1 


6!/5fl 

s 6 

61/4121 

15 

61/4121 

= 15 

61/21313! 

= 10 

61/312! 1! 

= 60 

61/3131 

20 

61/2I2I212! 

- 45 

61/2I21212I 

^ 45 

61/2141 

= 15 


1 

233 


The enumeration was also performed for N-7 and 8, with the results 
tabled thus: 


No. of Components » N 


No. of Distinct Packaging s, D 


1 

2 

3 

4 

5 

6 
7 

a 


1 

2 

5 

15 

52 

233 

1087 

8094 


X-5 



An appruioMate relationship tor N ^ 4 is given as D(N) 

= exp (exp (.2 ♦ N/4) ) . Using this relationship for N=10 
produces 2,898,000 different packaging alternatives. 

In the year 1935, H. Gupta published a table of partitions; 
in the Proceedings of the London Mathematics Society, 
Volume 39, pp. 142-149. This table does not solve our 
problem directly, because it provides only the number 
of partitions. For example with 6 objects, there are 
11 partitions and 233 packagings. However, Gupta provides 
a useful asymtotic relatxonship on the number of 
partitions, P (N) , This is, with Pi = 3.141S9..., 

P(N) = (V(4N SQRT (3)) exp (Pi SQRT (2N/3)) 

Since the nuinber of packagings is given by D(N) - exp 
(exp (.2 > N/4) ) , then the average number of packagings 
per partition, X (N) , Would be given by 
X(N) = D(N)/P(N) 

= 4N SQRT (3) exp (exp (.2 ♦ N/4) - Pi 
SQRT (2N/3)) 


with P (N) irom Gupta's tables, 

D (N) , tlie nximber of packagings - P (N) • X (N) 

For N 20, P (N) , f rom table 1, is 627 


X-6 



ORIGINAL PAGE IS 
OF POOR QUALITY 


Substit.utin 9 N=20, one obtains 

D(N) « 627 • 80 SQRT (3) exp(exp(5.2) - Pi SQRT (40/3)) 
« 4.82 . 10T» 

For very modest numbers ot objects, the number of packaging 
schemes is astronomical* If it were possible to cost 
out 1 million packaging s per nanosecond, xt would take 
2.04 X 10<*!i years for only 20 objects I The key to a 
practical solutxon is to observe that although there are 
an enormous number of unconstrained packagings permitted, 
as soon as practical constraints are introduced, the 
number ot possibilities is greatly reduced to a much 
smaller and, hopefully, manageable quantity. We believe 
due to the relatively small size of the FTFCS, whose 
components are to be packaged in half-ATR boxes or smaller, 
that installation costs and the costs ot gaining access 
to malfunctioning devices are virtually independent of 
packaging. Tlie major cost element will be for spares 
inventory. Practical constraints which tend to restrict 
packaging freedom are items such as: 

• Shielding requirements 

Components requiring shielding usually are 
xsola ted . 

• Power consumptxon differences 

Power and signal level components are 
usually isolated. 

Failure rate disparities 

X-7 



High Jtailure modules shodld not be packaged 
with low tailure ones. 

• Maintenance approaches 

It xs unwise to mix rotables with nonrotables 
and locally repairable modules should not be 
copackaged with depot- or vendor-repairable 
modules . 

• Shock -mounting 

Only those modules requiring this should be 
copackaged . 

• Cooling and heat sinking 

• Functional testing 


ORIGINAL PAGE IS 
OF POOR QUALITY 


TABLE 1 

No. of Partitions, P(N), of N OBJECTS vs N 
(Per Gupta, op cit) 


N 

P(N) 

N 

P(N) 

1 

1 

20 

627 

2 

2 

25 

1,958 

3 

3 

30 

5,604 

4 

5 

35 

14,883 

5 

7 

40 

37,338 

6 

11 

45 

89,134 

7 

15 

50 

204,226 

8 

22 

55 

451,276 

9 

30 

60 

966,467 

10 

42 

65 

2,012,558 

11 

56 

70 

4,087,968 

12 

77 

75 

8,118,264 

13 

101 

80 

15,796,476 

14 

135 

90 

56,634,173 

15 

176 

100 

190,569,292 



original page is 

OF POOR QUALITY 

APPENDIX XI 

DERIVATION OF DELAY AND CANCELLATION COSTS 
. (ABSTRACT FROM .REFERENCE (P) D6-40895-1) 

The cost of a deloy (excluding work required to fix the cause) is assuoed to 
consist of three parts: 

• Crew post for the extra tine involved 

• • Loss of revenue froa the passengers who take another 

airline's flight 

• Passenger handling expenses such as phones, taxis, neals, and 
hotel accoioaodations. 

crb;/ costs 


Figure 1 shows a plot of flight 
crew costs for a number of 
airplane types and on equation 
for the best straight line# 
through the points is given by: 

$/seat hour = l, 8 -, 0028 n 
where n is the number of seats 
which is typical of a given 
airplane type. 



* Correlation coefficient « -.9O6, 





ORIGINAL PAGE 18 
OF POOR QUALITY 


LOSS OF EASSEIIGER raVEKUS 


FJ.gui*c 2 provides a plot shov^ijig the muabcr of passengers lost fix)a 
a cancellation. The curve is from a survey included in a report 
entitled "Cost Benefit Analysis for All-Weather Landing Syster^” 
prepared for FAA by R, Dixon Spoas Associates (October I967, AD 66I 


830). 

0 

The of passengers lost'*^^ 

» ^ * where a* 

is the flight length in 
thousands of statute miles. 

To arrive at a delay cost the 
assumption is made that at 
some length of delay « d hours 
the delay will turn into a 
cancelled flight. Typical 
values of d are assumed to be; 

0,75 hours for high frequency 
short range 



1,50 hours for intermediate range 


FIGURE 2 


3.00 hours for long range 


In addition it is assumed that up to the tine a cancellation occurs, 

the cost of a delay Increases in direct proportion to the increase 

* *■ 

in delay time. 



Correlation coefficient - -.934 



ORIGINAL PAGE IS 
OF POOR QUALITY 


The typical revenue for a 10:90 split of first and tourist is (iiven 

Rovenuc/passongor = (4.1** + 53«3s) (1978 Dollars) where s , 

(above) is thfe flight length in thousands of statute wiles. 


From a knowledge of the flight length, number of scats and load 

factor, it is thus possible to calculate the loss of revenue per 

passenger: 

,1 -.439s 

s X f X (4.14 + 53.3 s) x t 

ICO X d ' 

where s = flight length in statute miles (1000* s) 
f = load factor (fraction of seats occupied) 
d “ delay time at which flights on an average are cancelled 
(hours ) 

t = delay time (hours) 

e s 2.7183 

The above formula gives revenue cost in 1972 dollars. 



ORIGINAL PAGE *3 

OF QUAUTV 

lYwSSKriGfJH ;-Ai.T)Li:;a 

InwCrrupted ti’ip exponspa roporlcd to CAB for a dornesLip air] ir.P for 

» 

lp/2 './ore For departure dolr-ya, one hour avcrafjc dp;,ay 

tjjne, 30M paasenuers cod’ried, and a load factor of .p5, the dujay 
cost/acat due to passenger handXine per hour delay. 

Interruption expense 

“ llacibcr of passengers delayed -r- load factor 

(L 

1.32 X 10 . 

” 30 X lOO X .15 

- $,l6 per seat hour delay (1972 dollars) 


1*1! 



if 


E 

f- 






■•Sts' 






X14 


i 



t 


Wi W;w« iti twiawriii i iimimmrrTmrw(ii i iii i« OKiiffi;te Siiwi niw i CT i iiiw i n^ 


ORIGINAL PAGE IS 
OF POOR QUALITY 


TODAI. mm COST 


The’ thi'cc delay coota above con Ise simplified and ‘coabij^ed to dive 
the followins expression for delay cost in .1972 dollars: 


. _ *^^39 35 6 - 

Delay cost « ^ 1.96 - .0023 n + 0f,l4 t ^3«3s)J tn 


v/here ii ~ standard numbei* of seats for airplane type 
1 = load factor (fraction of scuts occupied) 

G average flight length (statute miles -v* 1000 ) 
t = delay time (houx'o) 

n = nmhber of seats fitted in a given airplane 
d - delay time at which flights on on average are cancelled 
(hours) 

e “ 2.7163 (constant) 


Xl-5 



ORiaNR'- 

Off POOR QUALITY 


CANCELLATION COSTS 


The cost of a cancellation can be considered as a combination 
of the delay coats up to the time a cancellation occurs, 
plus the value of Investment for the lost flight time while 
the airplane is being returned to service < An approximation 
to the true value of inactive time can be obtained using 


long-^term (3 years or i 

noro) dry lease 

costs. 

Dry lease costs 

are typically as shown 

in the table below: 



MOWmY 

PLIGHT HOURS 


cost/cahcelled 

MODEL 

LEASE 

PER DAY 

OEW 

PLIGHT HOUR 

707-3200 

$100,000 

10 

146,000 

$333 

727-100 

$ 63,000 

8 

88,000 

$250 

737-200 

$ 50,000 

8 

59,000 

$200 

747 

$ 300,000 

10 

356,000 

$1000 


Thus the cost per cancelled flight hour for that portion of cost 
associated with Inactive airplane time is about $3 pci* 1000 lbs. 
of airplane O.E.W. in 1972 dollars. Note that this value 
does not account for loss of goodwill or account for substitutions 
by an airplane of the same or different type. No satisfactory 
method of accounting for such substitutions has been developed. 


0 


m 


' 

^ ’ 




f 

I 


”1 I 


Xl-6 



ORIGINAL PAGE {S 

OF POOR QUALITY 


C0I4PABIS0N OF COSO?S Wmi THOSE USED BY AIRLINES 

Costs estimated in 1972 dollars, using the methods of this 
document, compare with those quoted hy several airlines and 
adjusted to 1972, as follows.* 


DELAYS (747, 1 hour delay) 

Airline A 

Airline B 

Airline C 

Airline D 

Airline E 

D6-40895-I Estimating method 


Delay Cost » $ 85 

« $ 420 
» ^ 525 
« $ 84 o 
$ 1420 

. = $ 1113 • . 


CANCELLATIONS {74?, 10 hours flying lost) 
Airline A Cost 

Airline B 
Airline C & D 
Airline B 

d6- 40895-1 Estimating method 


« $11,800 
« $ 2,200 
s= $ Not available 

- $ 6,300 
s $14,000 


Model 707/727 Airline "B” Delays versus Boeing d6-4o895-1 compare 
as follows: 


Model 

No of 
Seats 

Delay Cost (1972 Dollars) ] 

15 ' Delay * 

45 ' Delay * 

1 2 Hour Delay * 

Airline 

Boeing 

Airline 

Boeing 

Airline 

Boeing 

707 D> 

i 4 o 

95 


265 

480 

1260 

1280 

707 E> 

180 

100 


270 

617 

1300 

1645 

727 

100 . 

90 


220 

315 

950 

840 

727 

l 40 

95 


235 

439 

1100 

1170 


Short Range 
Intermediate Range 


Average Delay Length 


Xl-7 

















